Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-9804

Опубликовано: 16 окт. 2025
Источник: nvd
CVSS3: 9.6
CVSS3: 6.5
EPSS Низкий

Описание

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information.

This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:2.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager_analytics:2.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:data_analytics_server:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_mobility_manager:2.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_service_bus:5.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.4.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.8.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_analytics:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.3.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.7.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.9.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.4.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_km:1.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:traffic_manager:4.5.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:universal_gateway:4.5.0:*:*:*:*:*:*:*

EPSS

Процентиль: 18%
0.00058
Низкий

9.6 Critical

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-284

Связанные уязвимости

github логотип

GHSA-rrm7-q958-j87q

CVSS3: 9.6
github
около 2 месяцев назад

An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain internal SOAP Admin Services and System REST APIs. A low-privileged user may exploit this flaw to perform unauthorized operations, including accessing server-level information. This vulnerability affects only internal administrative interfaces. APIs exposed through the WSO2 API Manager's API Gateway remain unaffected.

EPSS

Процентиль: 18%
0.00058
Низкий

9.6 Critical

CVSS3

6.5 Medium

CVSS3

Дефекты

CWE-284