CVE-2022-4520: 
Java vulnerability analysis and mitigation

A cross-site scripting (XSS) vulnerability was discovered in WSO2 carbon-registry up to version 4.8.11. The vulnerability was found in the registry advanced search functionality where several request parameters were not properly sanitized, including mediaType, rightOp, leftOp, rightPropertyValue, and leftPropertyValue (GitHub PR, GitHub Commit).

The vulnerability exists in the advanced search form processor (advancedSearchForm-ajaxprocessor.jsp) where user input parameters were not properly encoded before being displayed back to users. The fix involved implementing HTML encoding using the Encode.forHtml() function for multiple parameters including leftPropertyValue, rightPropertyValue, mediaType, rightOp, and leftOp (GitHub Commit).

If exploited, this vulnerability could allow attackers to inject malicious scripts that would execute in the context of other users' browsers who access the advanced search functionality. This could potentially lead to theft of sensitive information, session hijacking, or other client-side attacks.

The vulnerability was fixed in WSO2 carbon-registry version 4.8.12. Users should upgrade to this version or later to receive the security fix. The fix implements proper HTML encoding for user input parameters in the advanced search functionality (GitHub Release).