threat
engine
.sh
Back
·
··:··
Home
/
Product
/
wso2 identity server as key manager
Product
wso2 identity server as key manager
41 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
Sort
Newest first
Oldest first
Highest CVSS
Lowest CVSS
Min CVSS
Any
4.0+
7.0+ (High)
9.0+ (Critical)
Published since
Reset
CVE-2024-2374
>= 5.10.0 and < 5.10.0.296
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the resolution
7.5
HIGH
CVE-2025-9312
all versions
A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST APIs and SOA
9.8
CRITICAL
CVE-2025-6670
all versions
A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state
8.8
HIGH
CVE-2025-10853
all versions
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper ou
5.2
MEDIUM
CVE-2025-10907
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded content and des
8.4
HIGH
CVE-2025-3125
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper input validation in the CarbonAppUploader
6.7
MEDIUM
CVE-2025-5605
all versions
An authentication bypass vulnerability exists in the Management Console of multiple WSO2 products. A malicious actor with access t
4.3
MEDIUM
CVE-2025-5350
all versions
SSRF and Reflected XSS Vulnerabilities exist in multiple WSO2 products within the deprecated Try-It feature, which was accessible
5.9
MEDIUM
CVE-2025-9804
all versions
An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in certain in
9.6
CRITICAL
CVE-2025-10611
all versions
Due to an insufficient access control implementation in multiple WSO2 Products, authentication and authorization checks for certai
9.8
CRITICAL
CVE-2025-1862
all versions
An arbitrary file upload vulnerability exists in multiple WSO2 products due to improper validation of user-supplied filenames in t
6.7
MEDIUM
CVE-2025-1396
all versions
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration
3.7
LOW
CVE-2025-0672
all versions
An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account i
3.3
LOW
CVE-2025-0663
all versions
A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Auth
6.8
MEDIUM
CVE-2024-3511
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files store
4.3
MEDIUM
CVE-2024-8008
all versions
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error
5.2
MEDIUM
CVE-2024-7073
all versions
A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin
6.5
MEDIUM
CVE-2024-3509
all versions
A stored cross-site scripting (XSS) vulnerability exists in the Management Console of multiple WSO2 products due to insufficient i
4.3
MEDIUM
CVE-2024-1440
all versions
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authe
5.4
MEDIUM
CVE-2024-7097
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a flaw in the SOAP admin service, which allows us
4.3
MEDIUM
CVE-2024-7096
all versions
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malic
4.2
MEDIUM
CVE-2024-6914
all versions
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-rel
9.8
CRITICAL
CVE-2023-6911
all versions
Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) att
4.8
MEDIUM
CVE-2023-6838
all versions
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in
6.1
MEDIUM
CVE-2023-6837
>= 5.6.0 and < 5.6.0.17
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this
8.5
HIGH
CVE-2023-6836
all versions
Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but
4.6
MEDIUM
CVE-2021-42646
all versions
XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API
9.1
CRITICAL
CVE-2022-29548
all versions
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0
4.6
MEDIUM
CVE-2022-29464
>= 5.3.0 and <= 5.10.0
Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload end
9.8
CRITICAL
CVE-2021-36760
all versions
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affe
6.1
MEDIUM
CVE-2020-17453
all versions
WSO2 Management Console through 5.10 allows XSS via the carbon/admin/login.jsp msgId parameter.
6.1
MEDIUM
CVE-2020-24706
<= 5.10.0
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, AP
6.1
MEDIUM
CVE-2020-24705
<= 5.10.0
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-24704
all versions
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manage
6.1
MEDIUM
CVE-2020-24703
all versions
An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an attacker-cont
8.8
HIGH
CVE-2020-14446
<= 5.10.0
An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.
6.1
MEDIUM
CVE-2020-14445
<= 5.9.0
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cros
5.4
MEDIUM
CVE-2020-14444
<= 5.9.0
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cros
5.4
MEDIUM
CVE-2020-13883
<= 5.9.0
In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Conso
6.7
MEDIUM
CVE-2020-12719
<= 5.9.0
XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2
7.2
HIGH
CVE-2018-20737
all versions
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
5.4
MEDIUM
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh · Open-source threat intelligence platform · 100+ authoritative sources · Every fact traces to its origin