CVE-2025-4760
Published: Sep 23, 2025
Modified: Sep 23, 2025
CVSS v3.1
4.8
Description
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users. A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
| Vendor | Product | Versions |
|---|---|---|
WSO2 | WSO2 API Manager | unknown 0 - < 3.2.0affected 3.2.0 - < 3.2.0.428affected 3.2.1 - < 3.2.1.48affected 4.1.0 - < 4.1.0.209affected 4.2.0 - < 4.2.0.145+3 more versions |
WSO2 | WSO2 API Control Plane | affected 4.5.0 - < 4.5.0.8 |
WSO2 | WSO2 Universal Gateway | affected 4.5.0 - < 4.5.0.7 |
WSO2 | WSO2 Traffic Manager | affected 4.5.0 - < 4.5.0.7 |
WSO2 | WSO2 Carbon API Management API | affected 6.7.206 - < 6.7.206.559affected 6.7.210 - < 6.7.210.48affected 9.20.74 - < 9.20.74.365affected 9.28.116 - < 9.28.116.321affected 9.29.120 - < 9.29.120.163+3 more versions |
Weaknesses (CWE)
CVSS v3.1 Details
CVSS v3.1 Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Security Training
Train your team to recognize and prevent security threats with our comprehensive security awareness program.
Start TrainingVulnerability Scanning
Discover vulnerabilities in your applications and infrastructure before attackers do.
Scan Now