Moderate severityNVD Advisory· Published Dec 15, 2023· Updated Aug 2, 2024
CVE-2023-6835
CVE-2023-6835
Description
Multiple WSO2 products have been identified as vulnerable due to lack of server-side input validation in the Forum feature, API rating could be manipulated.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.apimgt:forumMaven | <= 9.0.78 | — |
Affected products
1- Range: 3.3.1.0
Patches
12e9591b72bc2Merge pull request #10471 from isharac/6x
1 file changed · +3 −0
components/forum/org.wso2.carbon.forum/src/main/java/org/wso2/carbon/forum/registry/RegistryForumManager.java+3 −0 modified@@ -763,6 +763,9 @@ public float rateTopic(String topicId, int rating, String username, String tenan Registry registry; try { + final int MAX_RATE = 5; + final int MIN_RATE = 1; + rating = (rating > MAX_RATE) ? MAX_RATE : ((rating < MIN_RATE) ? MIN_RATE : rating); registry = getRegistry(username, tenantDomain); GenericArtifactManager artifactManager = getArtifactManager(registry, TOPIC_RXT_KEY); GenericArtifact genericArtifact = artifactManager.getGenericArtifact(topicId);
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-w7rx-824v-rgx5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-6835ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357/mitrevendor-advisory
- github.com/wso2/carbon-apimgt/blob/81e0c0b8ed0bd2dace1e9006be21acbb731c835e/components/forum/org.wso2.carbon.forum/src/main/java/org/wso2/carbon/forum/registry/RegistryForumManager.javaghsaWEB
- github.com/wso2/carbon-apimgt/commit/2e9591b72bc286dfcd22b57768e984d867c902baghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2021-1357ghsaWEB
News mentions
0No linked articles in our index yet.