Key Information Vulnerability Overview Vulnerability ID: WSO2-2025-4124/CVE-2025-5350 Release Date: 2025-10-24 Update Date: 2025-10-24 Version: 1.0.0 Severity: Medium CVSS Score: 5.9 (CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L) Affected Products WSO2 API Control Plane: 4.5.0 WSO2 API Manager: 4.5.0, 4.4.0, 4.3.0, 4.2.0, 4.1.0, 4.0.0, 3.2.1, 3.2.0, 3.1.0 WSO2 Enterprise Integrator: 6.6.0 WSO2 Identity Server as Key Manager: 5.10.0 WSO2 Identity Server: 7.1.0, 7.0.0, 6.1.0, 6.0.0, 5.11.0, 5.10.0 WSO2 Open Banking IAM: 2.0.0 WSO2 Open Banking IAM: 2.0.0 WSO2 Traffic Manager: 4.5.0 WSO2 Universal Gateway: 4.5.0 Description Issue: The deprecated Try-it feature allows users with administrative privileges to access user-provided URLs without validation, potentially leading to a Server-Side Request Forgery (SSRF) vulnerability. Since retrieved content is directly embedded in HTML responses, this can also be exploited to perform reflected Cross-Site Scripting (XSS) attacks within the context of an administrator’s browser. Impact SSRF and XSS Combination: By tricking an administrator into accessing a specially crafted URL, an attacker can force the server to fetch malicious content, which is then reflected in the user’s browser response, enabling arbitrary script execution to alter the UI or steal data. Internal Service Enumeration: If a malicious actor with administrative privileges accesses a specially crafted URL, SSRF could be leveraged to query internal endpoints accessible within the WSO2 product deployment but not publicly exposed, aiding in mapping internal network resources. Remediation Community Users (Open Source): Apply the relevant fixes from the public patch. Support Subscription Holders: Upgrade the product to the specified update level or a higher version to apply the fix. Acknowledgments WSO2 thanks Noel MACCARY for responsibly reporting the identified issue and collaborating on its resolution.