Wiz
Vulnerability DatabaseCVE-2025-4760

CVE-2025-4760
Java vulnerability analysis and mitigation

Overview

An authenticated stored cross-site scripting (XSS) vulnerability exists in multiple WSO2 products, identified as CVE-2025-4760. The vulnerability was discovered and disclosed on September 23, 2025, affecting the Publisher portal of WSO2 products. The vulnerability stems from improper validation of user-supplied input during API document upload functionality (NVD).

Technical details

The vulnerability is classified as a stored XSS issue (CWE-79) with a CVSS v3.1 base score of 4.8 (Medium) and vector string CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N. The vulnerability requires high privileges (publisher access) and user interaction to be exploited. The attack vector is network-accessible, with low attack complexity (NVD).

Impact

If successfully exploited, the vulnerability could lead to redirection to malicious websites, unauthorized UI modifications, or exfiltration of browser-accessible data. However, the impact is partially mitigated as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking (NVD).

Mitigation and workarounds

For detailed mitigation instructions, refer to the WSO2 security advisory (WSO2 Advisory).

Additional resources

SourceThis report was generated using AI

Related Java vulnerabilities:

CVE ID

Severity

Score

Technologies

Component name

CISA KEV exploit

Has fix

Published date

CVE-2025-43814MEDIUM6.9
  • JavaJava
  • com.liferay:com.liferay.portal.security.audit.event.generators.user.management
NoYesSep 22, 2025
CVE-2025-59822MEDIUM6.3
  • JavaJava
  • org.http4s:http4s-ember-core_2.12
NoYesSep 23, 2025
CVE-2025-43810MEDIUM5.3
  • JavaJava
  • cpe:2.3:a:liferay:liferay_portal
NoYesSep 22, 2025
CVE-2025-4760MEDIUM4.8
  • JavaJava
  • org.wso2.carbon.apimgt:org.wso2.carbon.apimgt.api
NoYesSep 23, 2025
CVE-2024-6429MEDIUM4.3
  • JavaJava
  • org.wso2.identity.apps:authentication-portal
NoYesSep 23, 2025

Free Vulnerability Assessment

Benchmark your Cloud Security Posture

Evaluate your cloud security practices across 9 security domains to benchmark your risk level and identify gaps in your defenses.

Request assessment

Additional Wiz resources

Cloud Vulnerability DB

Cloud Vulnerability DB

A community-led vulnerabilities database

Cloud Threat Landscape

Cloud Threat Landscape

A threat intelligence database

PEACH

PEACH

A tenant isolation framework

Get a personalized demo

Ready to see Wiz in action?

"Best User Experience I have ever seen, provides full visibility to cloud workloads."
David EstlickCISO
"Wiz provides a single pane of glass to see what is going on in our cloud environments."
Adam FletcherChief Security Officer
"We know that if Wiz identifies something as critical, it actually is."
Greg PoniatowskiHead of Threat and Vulnerability Management
Get a demo