Scan free
MEDIUMCVE-2024-4867CVSS 5.4

CVE-2024-4867: XSS in WSO2 API Manager

Platform

javascript

Component

wso2-api-manager

Fixed in

3.2.0

3.2.0.408

3.2.1.32

4.0.0.293

4.1.0.187

AI Confidence: highNVDEPSS 0.0%Reviewed: May 2026
View on NVD
Save

CVE-2024-4867 describes a Cross-Site Scripting (XSS) vulnerability within the WSO2 API Manager developer portal. This flaw arises from insufficient input validation and output encoding, allowing attackers to inject malicious scripts. The vulnerability impacts versions from 0.0.0 up to and including 4.1.0.187, and a fix is available in version 4.1.0.187.

Impact and Attack Scenarios

Successful exploitation of CVE-2024-4867 allows an attacker to inject arbitrary JavaScript code into the WSO2 API Manager developer portal. This can lead to various malicious outcomes, including redirecting users to phishing sites, modifying the appearance of the web page to deceive users, or potentially stealing non-sensitive data from the browser. While session hijacking is mitigated by the httpOnly flag on session cookies, the ability to manipulate the UI and redirect users presents a significant risk. The blast radius extends to all users accessing the developer portal, particularly those with administrative privileges who might be tricked into performing actions based on the injected scripts.

Exploitation Context

CVE-2024-4867 was published on 2026-04-16. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept (POC) code is not currently available, but the vulnerability's nature makes it likely that such code will emerge. The vulnerability's CVSS score of 5.4 (Medium) suggests a moderate probability of exploitation.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.01% (1% percentile)

CISA SSVC

Exploitationnone
Automatableno
Technical Impactpartial

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N5.4MEDIUMAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionRequiredWhether a victim must take actionScopeChangedImpact beyond the vulnerable componentConfidentialityLowRisk of sensitive data exposureIntegrityLowRisk of unauthorized data modificationAvailabilityNoneRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
Required — victim must take an action: open a file, click a link, or visit a crafted page.
Scope
Changed — successful attack can pivot beyond the vulnerable component to other systems or the host OS.
Confidentiality
Low — partial or indirect data access. Attacker gains limited information.
Integrity
Low — attacker can modify some data with limited scope or impact.
Availability
None — no availability impact. Service remains fully operational.

Affected Software

Componentwso2-api-manager
VendorWSO2
Affected rangeFixed in
0 – 3.1.93.2.0
3.2.0 – 3.2.0.4073.2.0.408
3.2.1 – 3.2.1.313.2.1.32
4.0.0 – 4.0.0.2924.0.0.293
4.1.0 – 4.1.0.1864.1.0.187

Weakness Classification (CWE)

CWE-79

Timeline

  1. Reserved
  2. Published
  3. EPSS updated

Mitigation and Workarounds

The primary mitigation for CVE-2024-4867 is to upgrade WSO2 API Manager to version 4.1.0.187 or later, which contains the necessary fixes. If immediate upgrading is not feasible, consider implementing a Web Application Firewall (WAF) with rules to detect and block XSS payloads targeting the developer portal endpoints. Carefully review and sanitize all user-supplied input before rendering it in the portal. Monitor API Manager logs for suspicious activity, particularly unusual redirects or JavaScript execution patterns. After upgrading, confirm the fix by attempting to inject a simple XSS payload (e.g., <script>alert('XSS')</script>) through the developer portal and verifying that it is properly sanitized and does not execute.

How to fix

Update WSO2 API Manager to version 3.2.0.408 or later, 3.2.1.32 or later, 4.0.0.293 or later, or 4.1.0.187 or later to mitigate the Cross-Site Scripting (XSS) vulnerability. Ensure you review the release notes for any required configuration changes after the update. Implement robust input validations and proper output encoding in the developer portal.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2024-4867 — XSS in WSO2 API Manager?

CVE-2024-4867 is a Cross-Site Scripting (XSS) vulnerability in WSO2 API Manager, allowing attackers to inject malicious scripts into the developer portal.

Am I affected by CVE-2024-4867 in WSO2 API Manager?

You are affected if you are using WSO2 API Manager versions 0.0.0 through 4.1.0.187 and have not upgraded.

How do I fix CVE-2024-4867 in WSO2 API Manager?

Upgrade WSO2 API Manager to version 4.1.0.187 or later. Consider implementing a WAF as an interim measure.

Is CVE-2024-4867 being actively exploited?

There is currently no evidence of active exploitation, but the vulnerability's nature makes it a potential target.

Where can I find the official WSO2 advisory for CVE-2024-4867?

Refer to the official WSO2 security advisory for CVE-2024-4867 on the WSO2 website.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs