CVE-2024-8008

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2024-8008
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

5.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.1 / Impact : 2.7

Attack Vector ADJACENT_NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References
Link Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/ Vendor Advisory
Configurations

Configuration 1 (hide)

OR cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
History

06 Oct 2025, 13:51

Type Values Removed Values Added
CPE cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:*
cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*
First Time Wso2 identity Server As Key Manager
Wso2 open Banking Am
Wso2 open Banking Iam
Wso2
Wso2 api Manager
Wso2 enterprise Integrator
Wso2 identity Server
References () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/ - () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/ - Vendor Advisory

06 Jun 2025, 15:15

Type Values Removed Values Added
Summary
  • (es) Existe una vulnerabilidad de cross-site-scripting (XSS) reflejado en varios productos [Vendor Name] debido a una codificación de salida insuficiente en los mensajes de error generados por la solicitud de validación de conexión del almacén de usuarios JDBC. Un actor malicioso puede inyectar un payload especialmente manipulada en la solicitud, lo que provoca que el navegador ejecute JavaScript arbitrario en el contexto de la página vulnerable. Esta vulnerabilidad puede permitir la manipulación de la interfaz de usuario, la redirección a sitios web maliciosos o la exfiltración de datos del navegador. Sin embargo, dado que todas las cookies sensibles relacionadas con la sesión están protegidas con el indicador httpOnly, el secuestro de sesión no es posible.
Summary (en) A reflected cross-site scripting (XSS) vulnerability exists in multiple [Vendor Name] products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible. (en) A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page. This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

02 Jun 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-06-02 17:15

Updated : 2025-10-06 13:51

NVD link : CVE-2024-8008

Mitre link : CVE-2024-8008

CVE.ORG link : CVE-2024-8008

JSON object : View

Products Affected

wso2

  • identity_server_as_key_manager
  • api_manager
  • enterprise_integrator
  • identity_server
  • open_banking_am
  • open_banking_iam
CWE
CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')