Authenticated Stored Cross-Site Scripting (XSS) in Multiple WSO2 Products via API Document Upload in Publisher
Description
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.
A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.apiMaven | < 9.31.117 | 9.31.117 |
org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.rest.api.publisher.v1Maven | < 9.31.117 | 9.31.117 |
Affected products
5- ghsa-coords2 versionspkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.apipkg:maven/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.rest.api.publisher.v1
< 9.31.117+ 1 more
- (no CPE)range: < 9.31.117
- (no CPE)range: < 9.31.117
- Range: 4.5.0
- Range: 6.7.206
- WSO2/WSO2 Universal Gatewayv5Range: 4.5.0
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-cmjc-qp7j-xgwrghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-4760ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104/mitrevendor-advisory
- github.com/wso2/carbon-apimgt/commit/1b3496c072ec68aaaf726996e2caa76f07c1adcaghsaWEB
- github.com/wso2/carbon-apimgt/pull/13099ghsaWEB
- mvnrepository.com/artifact/org.wso2.carbon.apimgt/org.wso2.carbon.apimgt.api/9.31.117ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4104ghsaWEB
News mentions
0No linked articles in our index yet.