VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Apr 16, 2026· Updated Apr 23, 2026

CVE-2024-4867

CVE-2024-4867

Description

The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.

By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Reflected XSS in WSO2 API Manager developer portal allows script injection, but session hijacking is prevented by httpOnly cookies.

Vulnerability

Description CVE-2024-4867 is a reflected cross-site scripting (XSS) vulnerability in the WSO2 API Manager developer portal. The developer portal fails to properly validate and encode user-supplied input, allowing an attacker to inject arbitrary script content that executes in a victim's browser.[1]

Exploitation

An authenticated attacker can craft a malicious link containing the injected script. When a user with a valid session clicks the link, the script executes in the context of the developer portal. The attack requires user interaction (clicking) and low privileges (attacker must be authenticated). No special network position is needed as the attack is delivered via a link.[1]

Impact

The attacker can cause the browser to redirect to a malicious website, modify the UI of the portal page, or retrieve information from the victim's browser. However, session-related sensitive cookies are protected with the httpOnly flag, preventing session hijacking.[1]

Mitigation

WSO2 has released updates for affected versions (4.1.0, 4.0.0, 3.2.1, 3.2.0) to update level 187, 293, 32, and 408 respectively. Users should migrate to the latest unaffected version or apply the appropriate update level.[1]

References
  1. Security Advisory WSO2-2024-3391/CVE-2024-4867

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.