PT-2025-23539 · Wso2+2 · Wso2 Api Control Plane+16
Published
2025-06-02
·
Updated
2025-10-06
·
CVE-2024-8008
CVSS v3.1
5.2
Medium
| Vector | AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The product name cannot be determined.
Description
A reflected cross-site scripting (XSS) issue exists due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. This allows a malicious actor to inject a specially crafted payload, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. The issue may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser, but session hijacking is not possible due to the httpOnly flag protection on session-related sensitive cookies.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wso2 Api Control Plane
Wso2 Api Manager
Wso2 Carbon Identity User Store Configuration Ui
Wso2 Enterprise Integrator
Wso2 Identity Server
Wso2 Identity Server As Key Manager
Wso2 Open Banking Am
Wso2 Traffic Manager
Wso2 Universal Gateway
Aimanager
Enterprise Integrator
Identityserver
Identity Server As Key Manager
Open Banking Am
Open Banking Iam
Org.Wso2.Carbon.Identity.Framework:Org.Wso2.Carbon.Identity.User.Store.Configuration.Ui
Product-Apim