CVE-2024-6429

Summary

A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI.

By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.338affected
WSO2WSO2 API Manager0 < 3.2.0unknown
WSO2WSO2 API Manager3.2.0 < 3.2.0.409affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.33affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.327affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.188affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.128affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.38affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.4affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.314affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.359affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.203affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.176affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.48affected

Weaknesses

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References