CVE-2025-6670

Name of the Vulnerable Software and Affected Versions WSO2 products (affected versions not specified)

Description A Cross-Site Request Forgery (CSRF) issue exists in multiple WSO2 products. This is due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. The SameSite=Lax cookie attribute does not effectively prevent exploitation in this context, as it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this by tricking an authenticated user into visiting a crafted link, causing the browser to issue unintended state-changing requests. Successful exploitation could lead to unauthorized operations, such as data modification or account changes.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.