CVE-2024-8008

MEDIUM

5.2

Description

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

Details CVE

Score CVSS v3.15.2

SeveriteMEDIUM

Vecteur CVSSCVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Vecteur d'attaqueADJACENT_NETWORK

ComplexiteLOW

Privileges requisNONE

Interaction utilisateurREQUIRED

Publie6/2/2025

Derniere modification10/6/2025

Sourcenvd

Observations honeypot0

Produits affectes

wso2:api_managerwso2:enterprise_integratorwso2:identity_serverwso2:identity_server_as_key_managerwso2:open_banking_amwso2:open_banking_iam

Faiblesses (CWE)

CWE-79

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/(ed10eef1-636d-4fbe-9993-6890dfa878f8)

Correlations IOC

Aucune correlation enregistree

This product uses data from the NVD API but is not endorsed or certified by the NVD.