CVE-2025-6670

Summary

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests.

A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.398unaffected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.418unaffected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.34affected
WSO2WSO2 Traffic Manager4.6.0 < 4.6.0.1affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.34affected
WSO2WSO2 Universal Gateway4.6.0 < 4.6.0.1affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.36affected
WSO2WSO2 API Control Plane4.6.0 < 4.6.0.1affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.349affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.453affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.73affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.373affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.236affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.176affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.88affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.52affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.35affected
WSO2WSO2 API Manager4.6.0 < 4.6.0.1affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.378affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.425affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.252affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.253affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.130affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.38affected
WSO2WSO2 Identity Server7.2.0 < 7.2.0.1affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.369affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.226affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.5.3 < 4.5.3.50affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.0 < 4.6.0.2253affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.1 < 4.6.1.157affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.2 < 4.6.2.673affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.3 < 4.6.3.41affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.6.4 < 4.6.4.22affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.7.1 < 4.7.1.73affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.8.1 < 4.8.1.43affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.0 < 4.9.0.106affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.26 < 4.9.26.31affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.27 < 4.9.27.16affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.28 < 4.9.28.18affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.33 < 4.9.33.2affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.9 < 4.10.9.75affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.42 < 4.10.42.18affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.101 < 4.10.101.3affected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.9.29 <= 4.9.29.*unaffected
WSO2org.wso2.carbon:org.wso2.carbon.ui4.10.65 <= 4.10.*unaffected

Weaknesses

  • CWE-352: CWE-352 Cross-Site Request Forgery (CSRF)

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

References