CVE-2024-4867
MEDIUMCross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval
Title source: cnaDescription
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/
Scores
CVSS v3
5.4
EPSS
0.0019
EPSS Percentile
9.3%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (6)
wso2/api_manager
3.2.0 - 3.2.0.408
WSO2/WSO2 API Manager
< 3.2.0
WSO2/WSO2 API Manager
3.2.0 - 3.2.0.408
WSO2/WSO2 API Manager
3.2.1 - 3.2.1.32
WSO2/WSO2 API Manager
4.0.0 - 4.0.0.293
WSO2/WSO2 API Manager
4.1.0 - 4.1.0.187
Published
Apr 16, 2026
Tracked Since
Apr 16, 2026