WSO2 carbon-registry Request Parameter cross site scripting
Description
A vulnerability classified as problematic has been found in WSO2 carbon-registry up to 4.8.6. This affects an unknown part of the component Request Parameter Handler. The manipulation of the argument parentPath/path/username/path/profile_menu leads to cross site scripting. It is possible to initiate the attack remotely. Upgrading to version 4.8.7 is able to address this issue. The name of the patch is 9f967abfde9317bee2cda469dbc09b57d539f2cc. It is recommended to upgrade the affected component. The identifier VDB-215901 was assigned to this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.registry:carbon-registryMaven | < 4.8.7 | 4.8.7 |
Affected products
2- WSO2/carbon-registryv5Range: 4.8.0
Patches
Vulnerability mechanics
Root cause
"Missing input sanitization of request parameters allows for cross-site scripting (XSS)."
Attack vector
An attacker can trigger this cross-site scripting (XSS) vulnerability by manipulating the `parentPath`, `path`, `username`, or `profile_menu` request parameters. These parameters are processed by the Request Parameter Handler component, allowing for the injection of malicious scripts that execute in the context of the user's browser. The attack can be initiated remotely [patch_id=23318].
Affected code
The vulnerability exists in multiple JSP files within `components/registry/org.wso2.carbon.registry.profiles.ui/src/main/resources/web/userprofiles/`, specifically `profiles_select_ajaxprocessor.jsp`, `profiles_add_ajaxprocessor.jsp`, `profiles_edit_ajaxprocessor.jsp`, `profiles_edit_handler_ajaxprocessor.jsp`, `profiles_handler_ajaxprocessor.jsp`, and `profiles_main_ajaxprocessor.jsp`. These files fail to properly sanitize user-supplied request parameters before processing them [patch_id=23318].
What the fix does
The patch addresses the vulnerability by importing the `org.owasp.encoder.Encode` library and wrapping the retrieval of request parameters with `Encode.forHtml()` [patch_id=23318]. This ensures that user-supplied input is properly encoded before being used in the JSP pages, preventing the execution of injected malicious scripts. This change was applied consistently across all affected AJAX processor files [patch_id=23318].
Preconditions
- networkThe attacker must be able to send requests to the affected WSO2 carbon-registry component.
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/wso2/carbon-registry/commit/9f967abfde9317bee2cda469dbc09b57d539f2ccghsamitigationpatchWEB
- github.com/advisories/GHSA-gp5f-gqgq-7254ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2022-4521ghsaADVISORY
- github.com/wso2/carbon-registry/pull/399ghsarelatedWEB
- github.com/wso2/carbon-registry/releases/tag/v4.8.12ghsaWEB
- github.com/wso2/carbon-registry/releases/tag/v4.8.7ghsamitigationWEB
- vuldb.comghsatechnical-descriptionvdb-entryWEB
News mentions
0No linked articles in our index yet.