CVE-2025-5350

Summary

SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible only to administrative users. This feature accepted user-supplied URLs without proper validation, leading to server-side request forgery (SSRF). Additionally, the retrieved content was directly reflected in the HTTP response, enabling reflected cross-site scripting (XSS) in the admin user's browser context.

By tricking an administrator into accessing a crafted link, an attacker could force the server to fetch malicious content and reflect it into the admin’s browser, leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. While session cookies are protected with the HttpOnly flag, the XSS still poses a significant security risk.

Furthermore, SSRF can be used by a privileged user to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable from the affected product.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.359affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.415affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.246affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.245affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.120affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.27affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.218affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.332affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.428affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.47affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.369affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.209affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.147affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.60affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.23affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.7affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.7affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.7affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.7affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.380affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.401affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.352affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.5.3 < 4.5.3.41affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.0 < 4.6.0.1087affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.1 < 4.6.1.151affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.2 < 4.6.2.672affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.3 < 4.6.3.30affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.4 < 4.6.4.7affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.7.1 < 4.7.1.70affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.8.1 < 4.8.1.32affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.0 < 4.9.0.101affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.26 < 4.9.26.19affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.27 < 4.9.27.3affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.28 < 4.9.28.1affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.9 < 4.10.9.69affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.42 < 4.10.42.11affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.29 <= 4.9.*unaffected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.93 <= *unaffected

Weaknesses

  • CWE-918: CWE-918 Server-Side Request Forgery (SSRF)
  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References