Moderate severityNVD Advisory· Published Dec 18, 2023· Updated Aug 2, 2024

CVE-2023-6911

Description

Multiple WSO2 products have been identified as vulnerable due to improper output encoding, a Stored Cross Site Scripting (XSS) attack can be carried out by an attacker injecting a malicious payload into the Registry feature of the Management Console.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.wso2.carbon.registry:carbon-registryMaven	< 4.7.37	4.7.37

Affected products

Wso2/Wso2 Data Analytics Serverv5
Range: 3.2.0.0
Wso2/Wso2 Message Brokerv5
Range: 3.2.0.0
WSO2/WSO2 Identity Server Analyticsv5
Range: 5.4.0.0

Patches

878fc7e53c90

Merge pull request #354 from hisanhunais/SECURITYINTERNAL-1225

https://github.com/wso2/carbon-registryVithursaJan 6, 2021via ghsa

commit

1 file changed · +4 −3

components/registry/org.wso2.carbon.registry.info.ui/src/main/resources/web/info/comment-delete-ajaxprocessor.jsp+4 −3 modified

@@ -25,6 +25,7 @@
 <%@ page import="org.wso2.carbon.utils.ServerConstants" %>
 <%@ page import="org.wso2.carbon.registry.common.beans.CommentBean" %>
 <%@ page import="org.wso2.carbon.registry.common.beans.utils.Comment" %>
+<%@ page import="org.owasp.encoder.Encode" %>
 <carbon:jsi18n resourceBundle="org.wso2.carbon.registry.info.ui.i18n.JSResources"
 		request="<%=request%>" namespace="org.wso2.carbon.registry.info.ui" />
 <script type="text/javascript" src="../info/js/info.js"></script>
@@ -86,12 +87,12 @@
                             <a class="closeButton icon-link registryWriteOperation" onclick="delComment('<%=request.getParameter("path")%>','<%=commentPath%>')" id="closeC<%=i%>" title="<fmt:message key="delete"/>" style="background-image: url(../admin/images/delete.gif);position:relative;float:right">&nbsp;</a>
                             <% } %>
                             <fmt:message key="comment">
-                                <fmt:param value="<%=commentString%>"/>
+                                <fmt:param value="<%=Encode.forHtml(commentString)%>"/>
                             </fmt:message>
                             <br/>
                             <fmt:message key="posted.on.by">
-                                <fmt:param value="<%=commentedTime%>"/>
-                                <fmt:param value="<%=commentedUser%>"/>
+                                <fmt:param value="<%=Encode.forHtml(commentedTime)%>"/>
+                                <fmt:param value="<%=Encode.forHtml(commentedUser)%>"/>
                             </fmt:message>
                             <div style="clear:both;"></div>
                         </div>

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-rfq3-wpjh-ppvgghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2023-6911ghsaADVISORY
security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225/mitrevendor-advisory
github.com/wso2/carbon-registry/commit/878fc7e53c90acc85e303d2af73440014a68b246ghsaWEB
security.docs.wso2.com/en/latest/security-announcements/security-advisories/2021/WSO2-2020-1225ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000