VYPR
Moderate severityNVD Advisory· Published Sep 23, 2025· Updated Sep 23, 2025

Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher

CVE-2025-4760

Description

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.

A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.apiMaven
< 9.31.1179.31.117
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.publisher.v1Maven
< 9.31.1179.31.117

Affected products

5

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.