Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-3125

Опубликовано: 05 нояб. 2025
Источник: nvd
CVSS3: 6.7
CVSS3: 7.2
EPSS Низкий

Описание

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE).

This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*

EPSS

Процентиль: 50%
0.0027
Низкий

6.7 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-434

Связанные уязвимости

github логотип

GHSA-mg7h-mgjw-mg5g

CVSS3: 6.7
github
3 месяца назад

An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader admin service endpoint. An authenticated attacker with appropriate privileges can upload a malicious file to a user-controlled location on the server, potentially leading to remote code execution (RCE). This functionality is restricted by default to admin users; therefore, successful exploitation requires valid credentials with administrative permissions.

EPSS

Процентиль: 50%
0.0027
Низкий

6.7 Medium

CVSS3

7.2 High

CVSS3

Дефекты

CWE-434