CVE-2023-6911: 
Java vulnerability analysis and mitigation

CVE-2023-6911 is a Stored Cross-Site Scripting (XSS) vulnerability discovered in multiple WSO2 products. The vulnerability was disclosed on December 18, 2023, and affects various versions of WSO2 products including API Manager (2.2.0 through 4.0.0), Identity Server (5.4.0 through 5.11.0), Enterprise Integrator (6.1.0 through 6.6.0), and several other WSO2 components (NVD, WSO2 Advisory).

The vulnerability stems from improper output encoding in the Registry feature of the Management Console. It allows attackers to inject malicious payloads that can be executed when other users view the affected UI components. The vulnerability has been assigned a CVSS v3.1 base score of 4.8 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N, indicating network accessibility, low attack complexity, high privileges required, and user interaction needed for exploitation (NVD).

The vulnerability's impact is limited by the requirement of valid Management Console credentials. If exploited, attackers could potentially redirect browsers to malicious websites, modify web page UI elements, or extract information from the browser. However, session hijacking attacks are prevented as session-related sensitive cookies are protected with the httpOnly flag (WSO2 Advisory).

Organizations are advised to upgrade to the latest versions of affected WSO2 products if available. For products where the latest version is still affected, WSO2 has provided public fixes that can be applied. The specific fix can be found in the carbon-registry repository (WSO2 Advisory).