Platform
javascript
Component
wso2-api-manager
Fixed in
3.2.0
3.2.0.408
3.2.1.32
4.0.0.293
4.1.0.187
CVE-2024-4867 describes a Cross-Site Scripting (XSS) vulnerability within the WSO2 API Manager developer portal. This flaw arises from insufficient input validation and output encoding, allowing attackers to inject malicious scripts. The vulnerability impacts versions from 0.0.0 up to and including 4.1.0.187, and a fix is available in version 4.1.0.187.
Successful exploitation of CVE-2024-4867 allows an attacker to inject arbitrary JavaScript code into the WSO2 API Manager developer portal. This can lead to various malicious outcomes, including redirecting users to phishing sites, modifying the appearance of the web page to deceive users, or potentially stealing non-sensitive data from the browser. While session hijacking is mitigated by the httpOnly flag on session cookies, the ability to manipulate the UI and redirect users presents a significant risk. The blast radius extends to all users accessing the developer portal, particularly those with administrative privileges who might be tricked into performing actions based on the injected scripts.
CVE-2024-4867 was published on 2026-04-16. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that such code will emerge. The vulnerability's CVSS score of 5.4 (Medium) suggests a moderate probability of exploitation.
Exploit Status
EPSS
0.01% (1% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2024-4867 is to upgrade WSO2 API Manager to version 4.1.0.187 or later, which contains the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the developer portal endpoints. Carefully review and sanitize all user-supplied input before rendering it in the portal. Monitor API Manager logs for suspicious activity, particularly unusual redirects or JavaScript execution patterns. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the developer portal and verifying that it is properly sanitized and does not execute.
Update WSO2 API Manager to version 3.2.0.408 or later, 3.2.1.32 or later, 4.0.0.293 or later, or 4.1.0.187 or later to mitigate the Cross-Site Scripting (XSS) vulnerability. Ensure you review the release notes for any required configuration changes after the update. Implement robust input validations and proper output encoding in the developer portal.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2024-4867 is a Cross-Site Scripting (XSS) vulnerability in WSO2 API Manager, allowing attackers to inject malicious scripts into the developer portal.
You are affected if you are using WSO2 API Manager versions 0.0.0 through 4.1.0.187 and have not upgraded.
Upgrade WSO2 API Manager to version 4.1.0.187 or later. Consider implementing a WAF as an interim measure.
There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official WSO2 security advisory for CVE-2024-4867 on the WSO2 website.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.