{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2024-4867", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "state": "PUBLISHED", "assignerShortName": "WSO2", "dateReserved": "2024-05-14T12:13:06.529Z", "datePublished": "2026-04-16T09:32:40.941Z", "dateUpdated": "2026-04-16T12:30:42.568Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-04-16T09:32:40.941Z"}, "title": "Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')", "type": "CWE"}]}], "impacts": [{"capecId": "CAPEC-232", "descriptions": [{"lang": "en", "value": "CAPEC-232 CAPEC-232: Cross-site Scripting"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.2.0", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.0.408", "versionType": "custom"}, {"status": "affected", "version": "3.2.1", "lessThan": "3.2.1.32", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.293", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.187", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.\n\nBy leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.\n\nBy leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag."}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/", "tags": ["vendor-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.4, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"}}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution</span></a> <br>"}]}], "source": {"advisory": "WSO2-2024-3391", "discovery": "INTERNAL"}, "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-16T12:20:00.908233Z", "id": "CVE-2024-4867", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:30:42.568Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-4867", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-16T12:20:00.908233Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-16T12:20:03.408Z"}}], "cna": {"title": "Cross-Site Scripting via Developer Portal in WSO2 API Manager Enables UI Modification and Information Retrieval", "source": {"advisory": "WSO2-2024-3391", "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-232", "descriptions": [{"lang": "en", "value": "CAPEC-232 CAPEC-232: Cross-site Scripting"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "WSO2", "product": "WSO2 API Manager", "versions": [{"status": "unknown", "version": "0", "lessThan": "3.2.0", "versionType": "custom"}, {"status": "affected", "version": "3.2.0", "lessThan": "3.2.0.408", "versionType": "custom"}, {"status": "affected", "version": "3.2.1", "lessThan": "3.2.1.32", "versionType": "custom"}, {"status": "affected", "version": "4.0.0", "lessThan": "4.0.0.293", "versionType": "custom"}, {"status": "affected", "version": "4.1.0", "lessThan": "4.1.0.187", "versionType": "custom"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution", "supportingMedia": [{"type": "text/html", "value": "<span style=\"background-color: transparent;\">Follow the instructions given on </span><a target=\"_blank\" rel=\"nofollow\" href=\"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution\"><span style=\"background-color: transparent;\">https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/#solution</span></a> <br>", "base64": false}]}], "references": [{"url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.\n\nBy leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.", "supportingMedia": [{"type": "text/html", "value": "The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.\n\nBy leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"}]}], "providerMetadata": {"orgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "shortName": "WSO2", "dateUpdated": "2026-04-16T09:32:40.941Z"}}}, "cveMetadata": {"cveId": "CVE-2024-4867", "state": "PUBLISHED", "dateUpdated": "2026-04-16T12:30:42.568Z", "dateReserved": "2024-05-14T12:13:06.529Z", "assignerOrgId": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "datePublished": "2026-04-16T09:32:40.941Z", "assignerShortName": "WSO2"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "8B00223A-8102-4887-A1A0-77B70ADDFFF5", "versionEndExcluding": "3.2.0.408", "versionStartIncluding": "3.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "A2CEF3D6-6A12-4933-8CAE-47870AC52DE7", "versionEndExcluding": "3.2.1.32", "versionStartIncluding": "3.2.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "45192132-C0AD-4E30-B2C0-864217FF1DCD", "versionEndExcluding": "4.0.0.293", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:wso2:api_manager:*:*:*:*:*:*:*:*", "matchCriteriaId": "FD911958-DA13-4B7C-8657-9ABE655352AF", "versionEndExcluding": "4.1.0.187", "versionStartIncluding": "4.1.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser.\n\nBy leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag."}], "id": "CVE-2024-4867", "lastModified": "2026-04-23T15:35:37.363", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.3, "impactScore": 2.7, "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}, "published": "2026-04-16T10:16:13.893", "references": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "tags": ["Vendor Advisory"], "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3391/"}], "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.2.0,3.2.0.408)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.2.1,3.2.1.32)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.0.0,4.0.0.293)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[4.1.0,4.1.0.187)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "WSO2 API Manager", "source": "cna", "vendor": "WSO2"}, "product": "wso2_api_manager", "vendor": "wso2"}], "analysis": {"en": {"generated_at": "2026-04-17T03:27:02.445132+00:00", "value": {"mitigation_remediation": ["Apply the vendor\u2011supplied patch following the instructions in the WSO2 security advisory.", "Enforce strict validation and sanitization of all user\u2011supplied input before it is rendered to the browser in the developer portal.", "Deploy a robust Content Security Policy that restricts script sources and prevents execution of injected scripts."], "summary": {"action": "Patch", "impact": "Cross\u2011Site Scripting that permits malicious script injection, UI manipulation, and information retrieval in the user\u2019s browser"}, "threat_synthesis": {"affected_systems": "WSO2 API Manager is the affected vendor and product. No specific version information is available in the advisory, so all releases of the API Manager product should be considered at risk until a patch is applied.", "description_and_impact": "The vulnerability stems from the WSO2 API Manager developer portal\u2019s failure to enforce proper validation and output encoding on user\u2011supplied input. Injected script content executes within the victim\u2019s browser context, enabling attackers to redirect the browser, modify the portal\u2019s user interface, or extract data visible to the browser. Cookie protection via the httpOnly flag prevents direct session hijacking, so the attacker\u2019s impact is limited to what can be accessed or manipulated through client\u2011side scripting.", "risk_and_exploitability": "The CVSS score of 5.4 indicates a medium severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers can exploit this via any public interface that accepts user input on the developer portal, such as input fields, comments, or custom content. Because session cookies are httpOnly, an attacker cannot hijack sessions, but they can still perform actions confined to the victim\u2019s browser context and access data exposed within that context."}}}}, "created": "2026-04-16T11:30:15.786803+00:00", "updated": "2026-04-17T03:30:08.599580+00:00", "vendors": ["wso2", "wso2$PRODUCT$wso2_api_manager"]}