Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via...

4.8 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Description

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Basic Information

ID CVE-2025-4760

Source WSO2

Published Sep 23, 2025 at 14:55

Affected Product

Vendor WSO2

Product WSO2 API Manager

Affected Versions WSO2 WSO2 API Manager 3.2.0
WSO2 WSO2 API Manager 3.2.1
WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 WSO2 Carbon API Management API 6.7.206
WSO2 WSO2 Carbon API Management API 6.7.210
WSO2 WSO2 Carbon API Management API 9.20.74
WSO2 WSO2 Carbon API Management API 9.28.116
WSO2 WSO2 Carbon API Management API 9.29.120
WSO2 WSO2 Carbon API Management API 9.30.67
WSO2 WSO2 Carbon API Management API 9.31.86

CWE Classification

CWE-79

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/

{
    "lastseen": "",
    "description": "An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.\n\nA successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.",
    "published": "2025-09-23T14:55:04.917Z",
    "modified": "2025-09-23T14:55:04.917Z",
    "type": "cve",
    "title": "Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/",
    "id": "CVE-2025-4760",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 API Manager 3.2.0\nWSO2 WSO2 API Manager 3.2.1\nWSO2 WSO2 API Manager 4.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 WSO2 Carbon API Management API 6.7.206\nWSO2 WSO2 Carbon API Management API 6.7.210\nWSO2 WSO2 Carbon API Management API 9.20.74\nWSO2 WSO2 Carbon API Management API 9.28.116\nWSO2 WSO2 Carbon API Management API 9.29.120\nWSO2 WSO2 Carbon API Management API 9.30.67\nWSO2 WSO2 Carbon API Management API 9.31.86",
    "sourceHref": "",
    "cvss": {
        "score": 4.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 API Manager",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher_CVE-2025-4760