Noël Maccary

**Name of the Vulnerable Software and Affected Versions** WSO2 products (affected versions not specified) **Description** A Cross-Site Request Forgery (CSRF) issue exists in multiple WSO2 products. This is due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. The SameSite=Lax cookie attribute does not effectively prevent exploitation in this context, as it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this by tricking an authenticated user into visiting a crafted link, causing the browser to issue unintended state-changing requests. Successful exploitation could lead to unauthorized operations, such as data modification or account changes. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSO2 products (affected versions not specified) **Description** The Try-It feature, accessible to administrative users, contains server-side request forgery (SSRF) and reflected cross-site scripting (XSS) issues. The feature does not properly validate user-supplied URLs, allowing SSRF. Retrieved content is directly reflected in the HTTP response, enabling reflected XSS within the admin user's browser. An attacker could trick an administrator into accessing a crafted link, causing the server to fetch malicious content and reflect it into the admin’s browser, potentially leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. SSRF can be used to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable. Session cookies are protected with the HttpOnly flag, but the XSS still presents a security risk. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSO2 products (affected versions not specified) **Description** An authentication bypass exists in the Management Console of WSO2 products. An attacker with access to the console can modify the request URI to circumvent authentication and access restricted resources, leading to partial information disclosure. The known exposure is limited to memory statistics, but it allows unauthorized access to internal system details. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** WSO2 products (affected versions not specified) **Description** An authenticated remote code execution (RCE) issue exists due to improper input validation in the event processor admin service. An attacker with administrative access to the SOAP admin services can deploy a Siddhi execution plan containing malicious Java code, leading to arbitrary code execution on the server. Exploitation requires a valid user account with administrative privileges. The vulnerable component is the event processor admin service, specifically when handling Siddhi execution plans. The **API endpoint** used for deployment is the SOAP admin service. The vulnerability lies in the improper validation of input within the Siddhi execution plan, allowing malicious Java code to be injected and executed. The variable `execution plan` within the SOAP request is susceptible to this flaw. The function `deployExecutionPlan()` is involved in processing the Siddhi execution plan. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.