免费扫描
HIGHCVE-2025-6670CVSS 8.8

多个 WSO2 产品中存在跨站请求伪造 (CSRF) 漏洞,由于在管理服务中使用 HTTP GET 方法执行状态改变操作,特别是在 Carbon 控制台的事件处理器中。

平台

java

组件

wso2-open-banking-am

修复版本

4.5.0.34

4.6.0.1

4.5.0.34

4.6.0.1

4.5.0.36

4.6.0.1

3.1.0.349

3.2.0.453

3.2.1.73

4.0.0.373

4.1.0.236

4.2.0.176

4.3.0.88

4.4.0.52

4.5.0.35

4.6.0.1

5.10.0.378

5.11.0.425

6.0.0.252

6.1.0.253

7.0.0.130

7.1.0.38

7.2.0.1

5.10.0.369

6.6.0.226

4.5.3.50

4.6.0.2253

4.6.1.157

4.6.2.673

4.6.3.41

4.6.4.22

4.7.1.73

4.8.1.43

4.9.0.106

4.9.26.31

4.9.27.16

4.9.28.18

4.9.33.2

4.10.9.75

4.10.42.18

4.10.101.3

AI Confidence: mediumNVDEPSS 0.0%已审阅: 2026年5月
在NVD查看
保存
正在翻译为您的语言…

CVE-2025-6670 describes a Cross-Site Request Forgery (CSRF) vulnerability found in WSO2 Open Banking AM. This vulnerability allows an attacker to potentially manipulate an authenticated user's session and perform unauthorized actions within the admin services. The issue stems from the use of HTTP GET requests for state-changing operations, bypassing the effectiveness of the SameSite cookie attribute. Affected versions include those prior to 7.2.0.1, and a fix is available in version 7.2.0.1.

Java / Maven

检测此 CVE 是否影响你的项目

上传你的 pom.xml 文件,立即知道是否受影响。

上传 pom.xml支持的格式: pom.xml · build.gradle

影响与攻击场景翻译中…

An attacker can exploit this CSRF vulnerability by crafting a malicious link and enticing an authenticated user to click it. Upon clicking, the user's browser will unknowingly send a request to the WSO2 Open Banking AM server, executing the attacker's intended action. This could involve modifying configurations, creating or deleting users, or performing other administrative tasks without the user's explicit consent. The potential impact is significant, as a successful exploit could lead to unauthorized access and control over the WSO2 Open Banking AM instance, potentially compromising sensitive data and disrupting services. The reliance on GET requests for state changes, despite the presence of SameSite cookies, is the root cause, making this a particularly concerning vulnerability.

利用背景翻译中…

CVE-2025-6670 was publicly disclosed on 2025-11-18. The vulnerability's reliance on GET requests for state changes, while employing SameSite cookies, presents a unique exploitation challenge. Currently, there are no publicly available proof-of-concept exploits, but the vulnerability's ease of exploitation makes it a potential target for opportunistic attackers. It is not currently listed on the CISA KEV catalog. The CVSS score of 8.8 (HIGH) reflects the potential for significant impact.

哪些人处于风险中翻译中…

Organizations utilizing WSO2 Open Banking AM in production environments, particularly those with legacy configurations or shared hosting environments, are at risk. Environments where admin access is not adequately restricted or monitored are especially vulnerable. Any deployment relying on older, unpatched versions of WSO2 Open Banking AM is potentially exposed.

检测步骤翻译中…

• linux / server: Monitor WSO2 Open Banking AM access logs for unusual GET requests to admin endpoints. Use journalctl to filter for errors related to authentication or authorization.

journalctl -u wso2am -f | grep "CSRF"

• generic web: Use curl to test for CSRF vulnerabilities on admin endpoints. Check response headers for unexpected behavior after submitting a request.

curl -v -X GET 'https://wso2am/admin/endpoint?param=value' -b 'Cookie: SESSIONID=...'

• java: Examine WSO2 Open Banking AM code for instances where GET requests are used for state-changing operations. Look for patterns where user input is directly used in the request without proper validation.

攻击时间线

  1. Disclosure

    disclosure

威胁情报

漏洞利用状态

概念验证未知
CISA KEVNO
互联网暴露

EPSS

0.04% (10% 百分位)

CISA SSVC

利用情况none
可自动化no
技术影响total

CVSS 向量

威胁情报· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetwork攻击者如何到达目标Attack ComplexityLow利用漏洞所需的条件Privileges RequiredNone攻击所需的认证级别User InteractionRequired是否需要受害者采取行动ScopeUnchanged超出受影响组件的影响范围ConfidentialityHigh敏感数据泄露风险IntegrityHigh数据未授权篡改风险AvailabilityHigh服务中断风险nextguardhq.com · CVSS v3.1 基础分数
这些指标意味着什么?
Attack Vector
网络 — 可通过互联网远程利用,无需物理或本地访问。攻击面最大。
Attack Complexity
低 — 无需特殊条件,可以稳定地利用漏洞。
Privileges Required
无 — 无需认证,无需凭证即可利用。
User Interaction
需要 — 受害者必须打开文件、点击链接或访问特制页面。
Scope
未改变 — 影响仅限于脆弱组件本身。
Confidentiality
高 — 完全丧失机密性,攻击者可读取所有数据。
Integrity
高 — 攻击者可写入、修改或删除任何数据。
Availability
高 — 完全崩溃或资源耗尽,完全拒绝服务。

受影响的软件

组件wso2-open-banking-am
供应商WSO2
影响范围修复版本
4.5.0 – 4.5.0.344.5.0.34
4.6.0 – 4.6.0.14.6.0.1
4.5.0 – 4.5.0.344.5.0.34
4.6.0 – 4.6.0.14.6.0.1
4.5.0 – 4.5.0.364.5.0.36
4.6.0 – 4.6.0.14.6.0.1
3.1.0 – 3.1.0.3493.1.0.349
3.2.0 – 3.2.0.4533.2.0.453
3.2.1 – 3.2.1.733.2.1.73
4.0.0 – 4.0.0.3734.0.0.373
4.1.0 – 4.1.0.2364.1.0.236
4.2.0 – 4.2.0.1764.2.0.176
4.3.0 – 4.3.0.884.3.0.88
4.4.0 – 4.4.0.524.4.0.52
4.5.0 – 4.5.0.354.5.0.35
4.6.0 – 4.6.0.14.6.0.1
5.10.0 – 5.10.0.3785.10.0.378
5.11.0 – 5.11.0.4255.11.0.425
6.0.0 – 6.0.0.2526.0.0.252
6.1.0 – 6.1.0.2536.1.0.253
7.0.0 – 7.0.0.1307.0.0.130
7.1.0 – 7.1.0.387.1.0.38
7.2.0 – 7.2.0.17.2.0.1
5.10.0 – 5.10.0.3695.10.0.369
6.6.0 – 6.6.0.2266.6.0.226
4.5.3 – 4.5.3.504.5.3.50
4.6.0 – 4.6.0.22534.6.0.2253
4.6.1 – 4.6.1.1574.6.1.157
4.6.2 – 4.6.2.6734.6.2.673
4.6.3 – 4.6.3.414.6.3.41
4.6.4 – 4.6.4.224.6.4.22
4.7.1 – 4.7.1.734.7.1.73
4.8.1 – 4.8.1.434.8.1.43
4.9.0 – 4.9.0.1064.9.0.106
4.9.26 – 4.9.26.314.9.26.31
4.9.27 – 4.9.27.164.9.27.16
4.9.28 – 4.9.28.184.9.28.18
4.9.33 – 4.9.33.24.9.33.2
4.10.9 – 4.10.9.754.10.9.75
4.10.42 – 4.10.42.184.10.42.18
4.10.101 – 4.10.101.34.10.101.3

弱点分类 (CWE)

CWE-352

时间线

  1. 已保留
  2. 发布日期
  3. EPSS 更新日期

缓解措施和替代方案翻译中…

The primary mitigation for CVE-2025-6670 is to upgrade WSO2 Open Banking AM to version 7.2.0.1 or later, which includes the fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds to reduce the attack surface. These may include restricting access to admin services to trusted networks, implementing stricter input validation on all admin endpoints, and carefully reviewing any third-party integrations that interact with the admin console. While SameSite cookies are present, their ineffectiveness in this scenario highlights the importance of using POST requests for state-changing operations. After upgrading, confirm the fix by attempting to trigger a CSRF attack and verifying that the request is blocked or ignored.

修复方法

升级到包含 CSRF 漏洞修复程序的最新版本的 WSO2 Open Banking AM。 确保 Carbon 控制台服务未暴露给不可信的网络,遵循 WSO2 安全生产指南。

CVE 安全通讯

漏洞分析和关键警报直接发送到您的邮箱。

常见问题翻译中…

What is CVE-2025-6670 — CSRF in WSO2 Open Banking AM?

CVE-2025-6670 is a Cross-Site Request Forgery (CSRF) vulnerability in WSO2 Open Banking AM versions prior to 7.2.0.1, allowing attackers to perform unauthorized actions via crafted links.

Am I affected by CVE-2025-6670 in WSO2 Open Banking AM?

Yes, if you are running WSO2 Open Banking AM versions earlier than 7.2.0.1, you are potentially affected by this CSRF vulnerability.

How do I fix CVE-2025-6670 in WSO2 Open Banking AM?

Upgrade WSO2 Open Banking AM to version 7.2.0.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.

Is CVE-2025-6670 being actively exploited?

While no public exploits are currently known, the vulnerability's ease of exploitation makes it a potential target for attackers.

Where can I find the official WSO2 advisory for CVE-2025-6670?

Refer to the official WSO2 security advisory for detailed information and updates regarding CVE-2025-6670: [https://wso2.com/en/security/vulnerabilities/cve-2025-6670/](https://wso2.com/en/security/vulnerabilities/cve-2025-6670/)

你的项目受影响吗?

上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。

免费扫描搜索 CVE