CVE-2024-3509— WSO2多款产品 安全漏洞

Stored Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products via Rich Text Editor

A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. If successful, the actor could inject persistent JavaScript payloads, enabling the theft of user data or execution of unauthorized actions on behalf of other users. While this issue enables persistent client-side script execution, session-related cookies remain protected with the httpOnly flag, preventing session hijacking.

CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

在Web页面生成时对输入的转义处理不恰当(跨站脚本)

WSO2多款产品 安全漏洞

WSO2 API Manager等都是美国WSO2公司的产品。WSO2 API Manager是一套API生命周期管理解决方案。WSO2 Enterprise Integrator是一套开源的混合集成平台。WSO2 Identity Server as Key Manager是一个身份服务器。 WSO2多款产品存在安全漏洞，该漏洞源于管理控制台中注册表部分的富文本编辑器输入验证不足，可能导致存储型跨站脚本攻击。以下产品受到影响：WSO2 API Manager、WSO2 Enterprise integr

N/A

N/A