CVE-2024-8008

MEDIUM

WSO2 API Manager - Reflected Cross-Site Scripting via JDBC User Store Connection Validation Error Messages

Title source: llm
STIX 2.1

Description

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

References (1)

Core 1

Scores

CVSS v3 5.2
EPSS 0.0045
EPSS Percentile 36.3%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (17)
org.wso2.carbon.identity.framework/org.wso2.carbon.identity.user.store.configuration.ui 0 - 7.5.12Maven
wso2/api_manager 3.1.0
wso2/api_manager 3.2.0
wso2/api_manager 3.2.1
wso2/api_manager 4.0.0
wso2/api_manager 4.1.0
wso2/api_manager 4.2.0
wso2/api_manager 4.3.0
wso2/enterprise_integrator 6.6.0
wso2/identity_server 5.10.0
... and 7 more
Published Jun 02, 2025
Tracked Since Feb 18, 2026