CVE-2024-8008
MEDIUMWSO2 API Manager - Reflected Cross-Site Scripting via JDBC User Store Connection Validation Error Messages
Title source: llmDescription
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/
Scores
CVSS v3
5.2
EPSS
0.0045
EPSS Percentile
36.3%
Attack Vector
ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (17)
org.wso2.carbon.identity.framework/org.wso2.carbon.identity.user.store.configuration.ui
0 - 7.5.12Maven
wso2/api_manager
3.1.0
wso2/api_manager
3.2.0
wso2/api_manager
3.2.1
wso2/api_manager
4.0.0
wso2/api_manager
4.1.0
wso2/api_manager
4.2.0
wso2/api_manager
4.3.0
wso2/enterprise_integrator
6.6.0
wso2/identity_server
5.10.0
... and 7 more
Published
Jun 02, 2025
Tracked Since
Feb 18, 2026