CVE-2024-4867 PUBLISHED

Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval

Assigner: WSO2
Reserved: 14.05.2024 Published: 16.04.2026 Updated: 16.04.2026

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.

By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 5.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	Low	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 API Manager
Versions	Default: unaffected unknown from 0 to 3.2.0 (excl.) affected from 3.2.0 to 3.2.0.408 (excl.) affected from 3.2.1 to 3.2.1.32 (excl.) affected from 4.0.0 to 4.0.0.293 (excl.) affected from 4.1.0 to 4.1.0.187 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-232 CAPEC-232: Cross-site Scripting