CVE-2025-4760

Опубликовано: 23 сент. 2025

Источник: nvd

CVSS3: 4.8

EPSS Низкий

Описание

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Ссылки

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*

cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*

cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*

EPSS

Процентиль: 16%

0.0005

Низкий

4.8 Medium

CVSS3

Дефекты

CWE-79

Связанные уязвимости

GHSA-cmjc-qp7j-xgwr