Wso2: >> Api Manager >> 2.6.0 Security Vulnerabilities
An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.
CVSS Score
3.5
EPSS Score
0.003
Published
2019-08-16
An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-05-21
An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper.
CVSS Score
4.1
EPSS Score
0.002
Published
2019-05-14
An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user.
CVSS Score
5.3
EPSS Score
0.007
Published
2019-05-14
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. A DOM-based XSS exists in the store part of the product.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-03-21
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
CVSS Score
5.4
EPSS Score
0.003
Published
2019-03-21
Page 4