CVE-2024-0392

Cross-Site Request Forgery (CSRF) in WSO2 Enterprise Integrator 6.6.0 Management Console Due to Missing CSRF Token Validation

CVSS 5.4 MEDIUMEPSS 0.1%CWE-352

Vexday Risk Score

13Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 5.4EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

27 fev 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with access to the management console into performing the malicious action.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L

Produtos afetados

WSO2 · WSO2 Enterprise Integrator

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2023-2987/