CVE-2024-8008

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

CVSS v3 5.2 MEDIUM

5.2^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/

Configurations

No configuration.

History

06 Jun 2025, 15:15

Type	Values Removed	Values Added
Summary		(es) Existe una vulnerabilidad de cross-site-scripting (XSS) reflejado en varios productos [Vendor Name] debido a una codificación de salida insuficiente en los mensajes de error generados por la solicitud de validación de conexión del almacén de usuarios JDBC. Un actor malicioso puede inyectar un payload especialmente manipulada en la solicitud, lo que provoca que el navegador ejecute JavaScript arbitrario en el contexto de la página vulnerable. Esta vulnerabilidad puede permitir la manipulación de la interfaz de usuario, la redirección a sitios web maliciosos o la exfiltración de datos del navegador. Sin embargo, dado que todas las cookies sensibles relacionadas con la sesión están protegidas con el indicador httpOnly, el secuestro de sesión no es posible.
Summary	(en) A reflected cross-site scripting (XSS) vulnerability exists in multiple [Vendor Name] products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.	(en) A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

02 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-02 17:15

Updated : 2025-06-06 15:15

NVD link : CVE-2024-8008

Mitre link : CVE-2024-8008

CVE.ORG link : CVE-2024-8008

JSON object : View

Products Affected

No product.

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

5.2 /10