CVE-2024-6914— Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2024-6914
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Incorrect Authorization in Multiple WSO2 Products via Account Recovery SOAP Admin Service Leading to Account Takeover
Source: NVD (National Vulnerability Database)
Vulnerability Description
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
授权机制不正确
Source: NVD (National Vulnerability Database)
Vulnerability Title
WSO2多款产品 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
WSO2 API Manager等都是美国WSO2公司的产品。WSO2 API Manager是一套API生命周期管理解决方案。WSO2 Identity Server(IS)是一款身份认证服务器。WSO2 Open Banking AM是一个开放银行加速器。 WSO2多款产品存在安全漏洞,该漏洞源于业务逻辑缺陷,可能导致账户接管。以下产品受到影响:WSO2 API Manager、WSO2 Identity Server、WSO2 Identity Server as Key Manager、WSO2
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
| Vendor | Product | Affected Versions | CPE | Subscribe |
|---|---|---|---|---|
| WSO2 | WSO2 API Manager | 2.2.0 ~ 2.2.0.55 | - | |
| WSO2 | WSO2 Governance Registry | 5.4.0 ~ 5.4.0.14 | - | |
| WSO2 | WSO2 Identity Server | 5.3.0 ~ 5.3.0.31 | - | |
| WSO2 | WSO2 Identity Server as Key Manager | 5.3.0 ~ 5.3.0.36 | - | |
| WSO2 | WSO2 IoT | 3.3.0 ~ 3.3.0.59 | - | |
| WSO2 | WSO2 Open Banking AM | 1.3.0 ~ 1.3.0.130 | - | |
| WSO2 | WSO2 Open banking KM | 1.3.0 ~ 1.3.0.113 | - | |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 ~ 2.0.0.362 | - | |
| WSO2 | WSO2 Carbon Identity Management | 5.7.5 ~ 5.7.5.9 | - |
II. Public POCs for CVE-2024-6914
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2024-6914
请登录查看更多情报信息。
- Security Advisory WSO2-2024-3561/CVE-2024-6914vendor-advisory
- https://nvd.nist.gov/vuln/detail/CVE-2024-6914
Same Patch Batch · WSO2 · 2025-05-22 · 4 CVEs total
| CVE-2024-5962 | 6.1 MEDIUM | Reflected Cross-Site Scripting (XSS) in Authentication Endpoint of Multiple WSO2 Products |
| CVE-2024-7487 | 5.8 MEDIUM | Improper Authentication in WSO2 Identity Server 7.0.0 Allows Bypass of App-Native Authenti |
| CVE-2024-7103 | 4.6 MEDIUM | Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server 7.0.0 Sub-Organization Login |
IV. Related Vulnerabilities
Same product: WSO2 API Manager
- CVE-2025-6024
Cross-Site Scripting via Authentication Endpoint in Multiple - CVE-2024-10242
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2024-8010
XML External Entity Injection via Publisher in WSO2 API Mana - CVE-2024-4867
Cross-Site Scripting via Developer Portal in WSO2 API Manage - CVE-2024-2374
XML External Entity Injection in Multiple WSO2 Products Allo
Same vendor: WSO2
- CVE-2025-10470
Denial-of-Service via Magic Link Authentication in WSO2 Iden - CVE-2025-10908
Account Lock Bypass via Magic Link or Pass Key Authenticatio - CVE-2024-0391
Username Enumeration via Email OTP Flow in Multiple WSO2 Pro - CVE-2025-10503
Reflected Cross-Site Scripting via Authentication Endpoint i - CVE-2025-12624
Improper Token Invalidation in WSO2 Identity Server Allows A
Same weakness: CWE-863
- CVE-2025-10908
Account Lock Bypass via Magic Link or Pass Key Authenticatio - CVE-2026-42571
Privilege Escalation Attack affecting Pelican Web UI - CVE-2025-15633
HCL BigFix WebUI is affected by an improper authorization vu - CVE-2026-42296
Argo Workflows has incomplete fix for CVE-2026-31892: hostNe - CVE-2025-66170
Apache CloudStack: Any user can list backups that they shoul
V. Comments for CVE-2024-6914
No comments yet