CVE-2024-8008: 
Java vulnerability analysis and mitigation

A reflected cross-site scripting (XSS) vulnerability identified as CVE-2024-8008 affects multiple WSO2 products. The vulnerability was discovered in early 2024 and is due to insufficient output encoding in error messages generated by the JDBC user store connection validation request (WSO2 Advisory).

The vulnerability exists due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. When a malicious actor injects a specially crafted payload into the request, it can cause the browser to execute arbitrary JavaScript in the context of the vulnerable page. The vulnerability has been assigned a CVSS v3.1 score of 5.2 (Medium) with the vector string CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (WSO2 Advisory).

The vulnerability can allow attackers to perform UI manipulation, redirect users to malicious websites, and potentially exfiltrate data from the browser. However, session hijacking attacks are not possible as all session-related sensitive cookies are protected with the httpOnly flag (WSO2 Advisory).

WSO2 has released fixes for the affected products. Community users can apply the public fix available at GitHub pull request #5927. Support subscription holders should update their products to the specified U2 update levels or higher. For example, WSO2 API Manager 4.3.0 should be updated to U2 level 32, WSO2 Identity Server 7.0.0 to U2 level 69, and other versions to their respective specified update levels (WSO2 Advisory).