CVE-2024-4867
Received Received - Intake
Cross-Site Scripting in WSO2 API Manager Developer Portal

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: WSO2 LLC

Description
The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-06-16
AI Q&A
2026-04-16
EPSS Evaluated
2026-06-15
NVD
CVE-2024-4867
EUVD
EUVD-2024-55547
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
wso2 api_manager From 3.2.0 (inc) to 3.2.0.408 (exc)
wso2 api_manager From 3.2.1 (inc) to 3.2.1.32 (exc)
wso2 api_manager From 4.0.0 (inc) to 4.0.0.293 (exc)
wso2 api_manager From 4.1.0 (inc) to 4.1.0.187 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the WSO2 API Manager developer portal, where it accepts user-supplied input without proper validation or output encoding.

Because of this, a malicious actor can inject script content that executes within the context of a user's browser, leading to a cross-site scripting (XSS) attack.

Impact Analysis

By exploiting this cross-site scripting vulnerability, an attacker can cause the victim's browser to redirect to malicious websites, alter the user interface of the web page, or retrieve information from the browser.

However, session hijacking is not possible because session-related sensitive cookies are protected by the httpOnly flag.

Compliance Impact

The vulnerability allows a malicious actor to inject and execute script content within a user's browser, potentially leading to unauthorized access to information displayed or processed in the browser.

Such cross-site scripting (XSS) vulnerabilities can increase the risk of data exposure or manipulation, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding personal and sensitive information.

However, session hijacking is mitigated by the use of the httpOnly flag on session cookies, which reduces some risk of unauthorized session access.

Overall, the presence of this vulnerability could lead to non-compliance if exploited to access or manipulate protected data, as it undermines the integrity and confidentiality requirements mandated by such standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-4867. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart