CVE-2025-4760
Description
An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper validation of user-supplied input during API document upload in the Publisher portal. A user with publisher privileges can upload a crafted API document containing malicious JavaScript, which is later rendered in the browser when accessed by other users.A successful attack could result in redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Risk Information
Base Score
4.8
MODERATE
Vector
CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
EPSS Score
Exploitation Probability
0.023
Associated Vulnerability
| Vulnerability | OS Platform |
|---|---|
| Vulnerabilities CVE-2025-4760 are fixed in WSO2 - org.wso2.carbon.apimgt.api 9.31.117 | Windows |
| Vulnerabilities CVE-2025-4760 are fixed in WSO2 - org.wso2.carbon.apimgt.rest.api.publisher.v1 9.31.117 | Windows |
| Vulnerabilities CVE-2025-4760 are fixed in WSO2 - org.wso2.carbon.apimgt.api for Linux 9.31.117 | Linux |
| Vulnerabilities CVE-2025-4760 are fixed in WSO2 - org.wso2.carbon.apimgt.rest.api.publisher.v1 for Linux 9.31.117 | Linux |
Patch Details
No records foundReferences
https://nvd.nist.gov/vuln/detail/CVE-2023-1234
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-1234