Security
Headlines

Headlines Latest CVEs

Headline

GHSA-cmjc-qp7j-xgwr: WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

20 days ago

#xss #vulnerability #web #git #java #auth #maven

GitHub Advisory Database
GitHub Reviewed
CVE-2025-4760

WSO2 carbon-apimgt affected by an authenticated stored cross-site scripting (XSS) vulnerability

Moderate severity GitHub Reviewed Published Sep 23, 2025 to the GitHub Advisory Database • Updated Sep 23, 2025

Package

maven org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.api (Maven)

Affected versions

< 9.31.117

Patched versions

9.31.117

maven org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.publisher.v1 (Maven)

Published to the GitHub Advisory Database

Sep 23, 2025

Last updated

Sep 23, 2025

ghsa: Latest News

GHSA-4p3p-cr38-v5xp: Omni is Vulnerable to DoS via Empty Create/Update Resource Requests

1 hour ago

GHSA-fhwm-pc6r-4h2f: CommandKit has incorrect command name exposure in context object for message command aliases

4 hours ago

GHSA-7r7f-9xpj-jmr7: Ash Framework: Filter authorization misapplies impossible bypass/runtime policies

8 hours ago

GHSA-wxwx-9fh7-5mrw: cel-rust May Panic During Parsing of Invalid CEL Expressions

2 days ago

GHSA-37j7-fg3j-429f: Happy DOM: VM Context Escape can lead to Remote Code Execution

2 days ago