WSO2 API Manager Stored XSS Vulnerability (CVE-2025-4760) Advisory

Key Information Vulnerability Identifier Security Advisory ID: WSO2-2025-4104/CVE-2025-4760 Release Date: 2025-07-15 Update Date: 2025-07-15 Version: 1.0.0 Severity: Medium CVSS Score: 4.8 (CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/LI:L/A:N) Affected Products WSO2 API Manager: 3.2.0, 3.2.1, 4.1.0, 4.2.0, 4.3.0, 4.4.0, 4.5.0 WSO2 API Control Plane: 4.5.0 WSO2 Universal Gateway: 4.5.0 WSO2 Traffic Manager: 4.5.0 Overview Vulnerability Type: Stored Cross-Site Scripting (XSS) in Authentication Description Due to improper validation, users with publisher privileges can exploit a stored cross-site scripting (XSS) vulnerability by uploading API documentation files to the publisher. Impact Exploiting this XSS attack, malicious actors could cause browsers to redirect to malicious websites, alter web page UI, retrieve information from browsers, or otherwise cause harm. However, since all session-related sensitive cookies are marked with the HttpOnly flag and protected, session hijacking or similar attacks are not possible. Solution Community Users (Open Source): Apply the provided public fix. - GitHub Fix Link If applying the fix or update is not feasible, migrate to the latest unaffected version of the affected product. Support Subscription Holders: Update the product to the specified update level or higher to apply the fix. Acknowledgements WSO2 thanks Pham Ho Anh Dung for responsibly reporting the identified issue and collaborating with us to resolve it.

Goal Reached Thanks to every supporter — we hit 100%!

WSO2 API Manager Stored XSS Vulnerability (CVE-2025-4760) Advisory