CVE-2022-29548
Published: 21 April 2022
Summary
CVE-2022-29548 is a medium-severity Cross-site Scripting (CWE-79) vulnerability in Wso2 Api Manager. Its CVSS base score is 4.6 (Medium).
Operationally, ranked in the top 1.0% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
A reflected cross-site scripting vulnerability exists in the Management Console component of multiple WSO2 products, including API Manager versions 2.2.0 through 4.0.0, Enterprise Integrator 6.2.0 through 6.6.0, Identity Server 5.5.0 through 5.11.0, and several related analytics and micro-integrator releases. The issue is tracked as CWE-79 and carries a CVSS 3.1 score of 4.6.
An unauthenticated attacker on an adjacent network can exploit the flaw by supplying a crafted link or request that triggers script execution in the browser of an authenticated console user who follows the link. Successful exploitation allows limited reading or modification of console data within the victim's session.
WSO2 has published security advisory WSO2-2021-1603 with mitigation guidance and links to updated releases; the advisory is mirrored on the vendor's documentation site. Public exploit code for the reflected XSS vector has been posted to Packet Storm.
The CVE maintains an EPSS score near 0.76 with a recorded peak of 0.77, indicating sustained exploitation interest after disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33883
Vulnerability details
A reflected XSS issue exists in the Management Console of several WSO2 products. This affects API Manager 2.2.0, 2.5.0, 2.6.0, 3.0.0, 3.1.0, 3.2.0, and 4.0.0; API Manager Analytics 2.2.0, 2.5.0, and 2.6.0; API Microgateway 2.2.0; Data Analytics Server 3.2.0; Enterprise…
more
Integrator 6.2.0, 6.3.0, 6.4.0, 6.5.0, and 6.6.0; IS as Key Manager 5.5.0, 5.6.0, 5.7.0, 5.9.0, and 5.10.0; Identity Server 5.5.0, 5.6.0, 5.7.0, 5.9.0, 5.10.0, and 5.11.0; Identity Server Analytics 5.5.0 and 5.6.0; and WSO2 Micro Integrator 1.0.0.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Penetration testing submits XSS payloads to web applications, detecting cross-site scripting flaws for subsequent remediation.
Validates web inputs to reject script-related content that could produce XSS.
Output validation against expected content can reject or sanitize script content in generated web pages, reducing XSS exploitability.