Platform
javascript
Component
wso2-api-manager
Fixed in
3.2.0.401
3.2.0.401
4.0.0.318
CVE-2024-10242 describes a Cross-Site Scripting (XSS) vulnerability present in WSO2 API Manager. This flaw allows attackers to inject malicious scripts into the authentication endpoint, potentially leading to user redirection or UI manipulation. The vulnerability impacts versions from 0.0.0 through 4.0.0.318, but a fix is available in version 4.0.0.318.
Successful exploitation of CVE-2024-10242 enables an attacker to inject arbitrary JavaScript code into the WSO2 API Manager authentication endpoint. This code will then be executed within the context of the victim's browser when they interact with the affected page. While session-related cookies are protected by the httpOnly flag, mitigating session hijacking, the attacker can still redirect users to malicious websites, alter the appearance of the web application, and potentially steal less sensitive information displayed on the page. The blast radius is limited to users interacting with the authentication flow, and the severity is classified as Medium due to the potential for UI manipulation and redirection.
CVE-2024-10242 was published on 2026-04-16. As of this date, there are no publicly known proof-of-concept exploits. The vulnerability is not currently listed on the CISA KEV catalog. The probability of exploitation is considered low to medium, pending the release of public exploits or active targeting by threat actors.
Exploit Status
EPSS
0.01% (3% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-10242 is to upgrade WSO2 API Manager to version 4.0.0.318 or later, which contains the necessary fix. If immediate upgrading is not possible, consider implementing input validation and output encoding on the authentication endpoint to sanitize user-supplied data. Web Application Firewalls (WAFs) configured to detect and block XSS payloads can provide an additional layer of defense. Regularly review and update WSO2 API Manager's security configuration to minimize the attack surface. After upgrading, confirm the fix by attempting to inject a simple XSS payload into the authentication endpoint and verifying that it is properly sanitized.
Update WSO2 API Manager to version 3.2.0.401 or later, or to version 4.0.0.318 or later. This update fixes the Cross-Site Scripting (XSS) vulnerability by properly validating user input at the authentication endpoint.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-10242 is a Cross-Site Scripting (XSS) vulnerability in WSO2 API Manager that allows attackers to inject malicious scripts into the authentication endpoint.
You are affected if you are using WSO2 API Manager versions 0.0.0 through 4.0.0.318. Upgrade to 4.0.0.318 or later to mitigate the risk.
Upgrade WSO2 API Manager to version 4.0.0.318 or later. Consider implementing input validation and output encoding as an interim measure.
As of the publication date, there are no publicly known active exploits for CVE-2024-10242.
Refer to the official WSO2 API Manager security advisories for detailed information and updates regarding CVE-2024-10242.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.