CVE-2025-4760

Summary

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 API Manager0 < 3.2.0unknown
WSO2WSO2 API Manager3.2.0 < 3.2.0.428affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.48affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.209affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.145affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.60affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.23affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.7affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.8affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.7affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.7affected
WSO2WSO2 Carbon API Management API6.7.206 < 6.7.206.559affected
WSO2WSO2 Carbon API Management API6.7.210 < 6.7.210.48affected
WSO2WSO2 Carbon API Management API9.20.74 < 9.20.74.365affected
WSO2WSO2 Carbon API Management API9.28.116 < 9.28.116.321affected
WSO2WSO2 Carbon API Management API9.29.120 < 9.29.120.163affected
WSO2WSO2 Carbon API Management API9.30.67 < 9.30.67.80affected
WSO2WSO2 Carbon API Management API9.31.86 < 9.31.86.30affected
WSO2WSO2 Carbon API Management API9.31.117 <= *unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References