These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2022-29464 is a WSO2 multiple-products vulnerability described as an unrestrictive file upload issue. CISA added it to the Known Exploited Vulnerabilities catalog on 2022-04-25 and marked it as having known ransomware campaign use, which makes this a high-priority remediation item for any organization running affected WSO2 software.
CVE-2016-4327 is a cross-site scripting (XSS) vulnerability in WSO2 SOA Enablement Server for Java 6.6 build SSJ-6.6-20090827-1616 and earlier. The issue allows a remote attacker to inject arbitrary web script or HTML through the PATH_INFO component, which can lead to script execution in a victim's browser under the affected site’s origin. NVD rates the issue as medium severity, with network attack vector [truncated]
CVE-2016-4316 is a medium-severity cross-site scripting issue in WSO2 Carbon 4.4.5 affecting multiple administration-facing JSP endpoints. Because the issue is network-reachable and can influence what a user’s browser renders, organizations running this version should treat it as a real risk to administrative sessions and prioritize remediation planning.
CVE-2016-4315 is a cross-site request forgery issue in WSO2 Carbon 4.4.5 that can be abused to make a privileged user’s browser send a shutdown request to the server-admin/proxy_ajaxprocessor.jsp endpoint. The practical impact is denial of service: if a privileged session is tricked into issuing the action, the server can be shut down without the attacker needing direct authentication to the target.
CVE-2016-4314 is a directory traversal vulnerability in the LogViewer Admin Service of WSO2 Carbon 4.4.5. According to the NVD description, a remote authenticated administrator can supply dot-dot sequences in the logFile parameter to downloadgz-ajaxprocessor.jsp and read arbitrary files. NVD assigns CWE-22 and a CVSS 3.0 score of 4.9 (MEDIUM).
CVE-2016-4312 affects WSO2 Identity Server 5.1.0 and is a high-impact XML external entity (XXE) issue in the XACML flow feature. A crafted XACML request sent to entitlement/eval-policy-submit.jsp can trigger unsafe XML processing, which may allow an authenticated attacker with access to XACML features to read local files, cause denial of service, or perform server-side request forgery (SSRF). The vulnerab [truncated]
CVE-2016-4311 is a high-severity cross-site request forgery (CSRF) issue in the XACML flow feature of WSO2 Identity Server 5.1.0. A remote attacker could abuse a logged-in privileged user’s session to submit unintended XACML-related requests through entitlement/eval-policy-submit.jsp. The NVD record rates the issue as CVSS 3.0 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and maps it to CWE-352.