Note:
This project will be discontinued after December 13, 2021. [more]
Product:
Api_manager
(Wso2)| Repositories |
Unknown: This might be proprietary software. |
| #Vulnerabilities | 41 |
| Date | Id | Summary | Products | Score | Patch | Annotated |
|---|---|---|---|---|---|---|
| 2023-12-15 | CVE-2023-6837 | Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met: * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option. * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject... | Api_manager, Carbon_identity_application_authentication_endpoint, Carbon_identity_application_authentication_framework, Identity_server, Identity_server_as_key_manager | 8.2 | ||
| 2019-05-14 | CVE-2019-6512 | An issue was discovered in WSO2 API Manager 2.6.0. It is possible to force the application to perform requests to the internal workstation (SSRF port-scanning), other adjacent workstations (SSRF network scanning), or to enumerate files because of the existence of the file:// wrapper. | Api_manager | 4.1 | ||
| 2019-05-14 | CVE-2019-6515 | An issue was discovered in WSO2 API Manager 2.6.0. Uploaded documents for API documentation are available to an unauthenticated user. | Api_manager | 5.3 | ||
| 2019-05-21 | CVE-2019-6513 | An issue was discovered in WSO2 API Manager 2.6.0. It is possible for a logged-in user to upload, as API documentation, any type of file by changing the extension to an allowed one. | Api_manager | 5.4 | ||
| 2023-05-23 | CVE-2023-31664 | A reflected cross-site scripting (XSS) vulnerability in /authenticationendpoint/login.do of WSO2 API Manager before 4.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter. | Api_manager | 6.1 | ||
| 2022-04-18 | CVE-2022-29464 | Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a /fileupload endpoint with a Content-Disposition directory traversal sequence to reach a directory under the web root, such as a ../../../../repository/deployment/server/webapps directory. This affects WSO2 API Manager 2.2.0 up to 4.0.0, WSO2 Identity Server 5.2.0 up to 5.11.0, WSO2 Identity Server Analytics 5.4.0, 5.4.1, 5.5.0 and 5.6.0, WSO2 Identity Server as Key Manager 5.3.0... | Api_manager, Enterprise_integrator, Identity_server, Identity_server_analytics, Identity_server_as_key_manager, Open_banking_am, Open_banking_iam, Open_banking_km | 9.8 | ||
| 2020-05-08 | CVE-2020-12719 | XXE during an EventPublisher update can occur in Management Console in WSO2 API Manager 3.0.0 and earlier, API Manager Analytics 2.5.0 and earlier, API Microgateway 2.2.0, Enterprise Integrator 6.4.0 and earlier, IS as Key Manager 5.9.0 and earlier, Identity Server 5.9.0 and earlier, and Identity Server Analytics 5.6.0 and earlier. | Api_manager, Api_manager_analytics, Api_microgateway, Enterprise_integrator, Identity_server, Identity_server_analytics, Identity_server_as_key_manager | 7.2 | ||
| 2020-05-20 | CVE-2020-13226 | WSO2 API Manager 3.0.0 does not properly restrict outbound network access from a Publisher node, opening up the possibility of SSRF to this node's entire intranet. | Api_manager | 9.8 | ||
| 2020-06-06 | CVE-2020-13883 | In WSO2 API Manager 3.0.0 and earlier, WSO2 API Microgateway 2.2.0, and WSO2 IS as Key Manager 5.9.0 and earlier, Management Console allows XXE during addition or update of a Lifecycle. | Api_manager, Api_microgateway, Identity_server_as_key_manager | 6.7 | ||
| 2020-08-21 | CVE-2020-24589 | The Management Console in WSO2 API Manager through 3.1.0 and API Microgateway 2.2.0 allows XML External Entity injection (XXE) attacks. | Api_manager, Api_microgateway | 9.1 |