CVEDB API

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-4867

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.

Exploit prediction scoring system (EPSS) score

EPSS Score 0.0

EPSS Ranking 1.2%

CVSS Severity

CVSS v3 Score 5.4

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/

Products affected by CVE-2024-4867

Wso2 » Api Manager » Version: 3.2.0

cpe:2.3:a:wso2:api_manager:3.2.0
Wso2 » Api Manager » Version: 3.2.1

cpe:2.3:a:wso2:api_manager:3.2.1
Wso2 » Api Manager » Version: 4.0.0

cpe:2.3:a:wso2:api_manager:4.0.0
Wso2 » Api Manager » Version: 4.1.0

cpe:2.3:a:wso2:api_manager:4.1.0

Vulnerabilities

Vulnerable Software

Vulnerability Details CVE-2024-4867

Products

Pricing

Contact Us