CVE-2025-6670— Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services

Cross-Site Request Forgery (CSRF) in Multiple WSO2 Products via HTTP GET in Admin Services

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

跨站请求伪造(CSRF)

WSO2多款产品 安全漏洞

WSO2 Open Banking AM等都是美国WSO2公司的产品。WSO2 Open Banking AM是一个开放银行加速器。WSO2 Open Banking IAM是一种用于开放银行（Open Banking）领域的身份和访问管理解决方案。WSO2 Traffic Manager是一个调节和管理API流量的组件。 WSO2多款产品存在安全漏洞，该漏洞源于在Carbon控制台的事件处理器中使用HTTP GET方法进行状态更改操作，可能导致跨站请求伪造攻击。以下产品受到影响：WSO2 Open Ba

N/A

N/A