WSO2 Products Management Console Stored Cross-Site Scripting Vulnerability

A stored cross-site scripting vulnerability has been identified in the Management Console of multiple WSO2 products. This issue arises from inadequate input validation in the Rich Text Editor within the registry section. To exploit this vulnerability, a malicious actor must have a valid user account with administrative access to the Management Console. Successful exploitation allows the injection of persistent JavaScript payloads, which could lead to the theft of user data or the execution of unauthorized actions on behalf of other users. Although this vulnerability permits persistent client-side script execution, session-related cookies are safeguarded with the httpOnly flag, mitigating the risk of session hijacking.

Impact

Exploitation of this vulnerability allows for the injection of persistent JavaScript payloads, enabling the theft of user data or the execution of unauthorized actions on behalf of other users.