QwikSec

Security Database

CVE

CWE

Training

CVE Database
/

CVE-2024-8008

Back to search

CVE-2024-8008

Published: Jun 2, 2025

Modified: Oct 21, 2025

PUBLISHED

CVSS v3.1

5.2

MEDIUM

Description

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

VendorProductVersions

WSO2

WSO2 Enterprise Integrator

unknown
0 - < 6.6.0
affected
6.6.0 - < 6.6.0.211

WSO2

WSO2 API Manager

unknown
0 - < 3.1.0
affected
3.1.0 - < 3.1.0.305
affected
3.2.0 - < 3.2.0.396
affected
3.2.1 - < 3.2.1.28
affected
4.0.0 - < 4.0.0.313

+5 more versions

WSO2

WSO2 Identity Server as Key Manager

unknown
0 - < 5.10.0
affected
5.10.0 - < 5.10.0.321

WSO2

WSO2 Identity Server

unknown
0 - < 5.10.0
affected
5.10.0 - < 5.10.0.328
affected
5.11.0 - < 5.11.0.374
affected
6.0.0 - < 6.0.0.216
affected
6.1.0 - < 6.1.0.201

+1 more versions

WSO2

WSO2 Open Banking IAM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.374

WSO2

WSO2 Open Banking AM

unknown
0 - < 2.0.0
affected
2.0.0 - < 2.0.0.354

WSO2

WSO2 Traffic Manager

affected
4.5.0 - < 4.5.0.16

WSO2

WSO2 API Control Plane

affected
4.5.0 - < 4.5.0.17

WSO2

WSO2 Universal Gateway

affected
4.5.0 - < 4.5.0.16

WSO2

WSO2 Carbon Identity User Store Configuration UI

affected
5.14.127 - < 5.14.127.9
affected
5.17.5 - < 5.17.5.289
affected
5.17.118 - < 5.17.118.10
affected
5.18.187 - < 5.18.187.276
affected
5.18.248 - < 5.18.248.22

+8 more versions

Weaknesses (CWE)

CWE-79

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

References

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now