CVE-2025-5350

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description The Try-It feature, accessible to administrative users, contains server-side request forgery (SSRF) and reflected cross-site scripting (XSS) issues. The feature does not properly validate user-supplied URLs, allowing SSRF. Retrieved content is directly reflected in the HTTP response, enabling reflected XSS within the admin user's browser. An attacker could trick an administrator into accessing a crafted link, causing the server to fetch malicious content and reflect it into the admin’s browser, potentially leading to arbitrary JavaScript execution for UI manipulation or data exfiltration. SSRF can be used to query internal services, potentially aiding in internal network enumeration if the target endpoints are reachable. Session cookies are protected with the HttpOnly flag, but the XSS still presents a security risk.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.