Api_manager - Vulncode-DB

Note:

This project will be discontinued after December 13, 2021. [more]

Product:
Api_manager
(Wso2)

Repositories	Unknown: This might be proprietary software.
#Vulnerabilities	41

Date	Id	Summary	Products	Score	Patch	Annotated
2022-04-21	CVE-2022-29548	A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2...	Api_manager, Api_manager_analytics, Api_microgateway, Data_analytics_server, Enterprise_integrator, Identity_server, Identity_server_analytics, Identity_server_as_key_manager, Micro_integrator	6.1
2022-05-11	CVE-2021-42646	XML External Entity (XXE) vulnerability in the file based service provider creation feature of the Management Console in WSO2 API Manager 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; and WSO2 IS as Key Manager 5.7.0, 5.9.0, and 5.10.0; and WSO2 Identity Server 5.7.0, 5.8.0, 5.9.0, 5.10.0, and 5.11.0. Allows attackers to gain read access to sensitive information or cause a denial of service via crafted GET requests.	Api_manager, Identity_server, Identity_server_as_key_manager	9.1
2023-12-15	CVE-2023-6836	Multiple WSO2 products have been identified as vulnerable due to an XML External Entity (XXE) attack abuses a widely available but rarely used feature of XML parsers to access sensitive information.	Api_manager, Api_manager_analytics, Api_microgateway, Enterprise_integrator, Identity_server, Identity_server_as_key_manager, Micro_integrator	7.5
2023-12-15	CVE-2023-6835	Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.	Api_manager, Iot_server	5.3
2023-12-15	CVE-2023-6838	Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.	Api_manager, Identity_server, Identity_server_as_key_manager	6.1
2023-12-15	CVE-2023-6839	Due to improper error handling, a REST API resource could expose a server side error containing an internal WSO2 specific package name in the HTTP response.	Api_manager	5.3
2023-12-18	CVE-2023-6911	Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.	Api_manager, Api_manager_analytics, Api_microgateway, Data_analytics_server, Enterprise_integrator, Identity_server, Identity_server_analytics, Identity_server_as_key_manager, Message_broker	4.8
2019-08-16	CVE-2019-15108	An issue was discovered in WSO2 API Manager 2.6.0 before WSO2-CARBON-PATCH-4.4.0-4457. There is XSS via a crafted filename to the file-upload feature of the event simulator component.	Api_manager	4.8
2020-01-28	CVE-2019-20436	An issue was discovered in WSO2 API Manager 2.6.0, WSO2 IS as Key Manager 5.7.0, and WSO2 Identity Server 5.8.0. If there is a claim dialect configured with an XSS payload in the dialect URI, and a user picks up this dialect's URI and adds it as the service provider claim dialect while configuring the service provider, that payload gets executed. The attacker also needs to have privileges to log in to the management console, and to add and configure claim dialects.	Api_manager, Identity_server	6.1
2020-01-28	CVE-2019-20434	An issue was discovered in WSO2 API Manager 2.6.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Datasource creation page of the Management Console.	Api_manager	4.8