CVE-2025-6024

Source
https://cve.org/CVERecord?id=CVE-2025-6024
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6024.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2025-6024
Published
2026-04-16T10:16:14.243Z
Modified
2026-07-08T08:08:08.026240679Z
Severity
  • 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
Summary
[none]
Details

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

Database specific
{
    "unresolved_ranges": [
        {
            "cpes": [
                "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "3.2.1"
                },
                {
                    "last_affected": "3.2.1"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "wso2:api_manager"
        },
        {
            "cpes": [
                "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*",
                "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*"
            ],
            "extracted_events": [
                {
                    "introduced": "5.10.0"
                },
                {
                    "last_affected": "5.10.0"
                },
                {
                    "introduced": "5.11.0"
                },
                {
                    "last_affected": "5.11.0"
                }
            ],
            "source": "CPE_STRING",
            "vendor_product": "wso2:identity_server"
        }
    ]
}
References

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type
GIT
Repo
https://github.com/wso2/product-apim
Events
Database specific
{
    "cpe": [
        "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*",
        "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*"
    ],
    "source": "CPE_STRING",
    "extracted_events": [
        {
            "introduced": "3.1.0"
        },
        {
            "last_affected": "3.1.0"
        },
        {
            "introduced": "3.2.0"
        },
        {
            "last_affected": "3.2.0"
        },
        {
            "introduced": "4.0.0"
        },
        {
            "last_affected": "4.0.0"
        },
        {
            "introduced": "4.1.0-NA"
        },
        {
            "last_affected": "4.1.0-NA"
        }
    ]
}

Affected versions

3.*
3.1.0
3.2.0
4.*
4.0.0
4.0.0-beta
4.1.0-NA
v3.*
v3.1.0
v3.1.0-rc3
v3.2.0
v3.2.0-alpha
v3.2.0-beta
v3.2.0-m1
v3.2.0-rc1
v3.2.0-rc2
v3.2.0-rc3
v3.2.0-rc4
v3.2.0-rc5
v3.2.0-rc6
v4.*
v4.0.0
v4.0.0-alpha
v4.0.0-beta
v4.0.0-m1
v4.0.0-m2
v4.0.0-m3
v4.0.0-m4
v4.0.0-m5
v4.0.0-m6
v4.0.0-m7
v4.0.0-m8
v4.0.0-rc
v4.1.0
v4.1.0-alpha
v4.1.0-beta
v4.1.0-m1
v4.1.0-m2
v4.1.0-m3
v4.1.0-m4
v4.1.0-rc
v4.1.0-rc2
v4.1.0-rc3

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-6024.json"