CVE-2024-5848 MEDIUM

CVE-2024-5848: Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products Due to Improper Input Validation

Vendor Wso2
Product WSO2 API Manager
Weakness CWE-79 · XSS
Published February 27, 2025
Last update February 27, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly flag, mitigating session hijacking risks, the impact may vary depending on gateway-level service restrictions.

Key dates

02Disclosure timeline

February 27, 2025 CVE published
February 27, 2025 Record updated