CVE-2025-6670

216.73.216.6

· Published 18/11/2025 12:15 · Modified 08/12/2025 14:00

Labels: CVE-2025-6670 2025-11-18 CVE-2025-6670 CWE-352 ed10eef1-636d-4fbe-9993-6890dfa878f8

Essential information

Published: 18/11/2025 12:15
Modified: 08/12/2025 14:00
Author: —
Creator: —
CVSS: 8.8 HIGH (v3.1)
CISA KEV: No
CWE: —
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS metrics

Description

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method for state-changing operations within admin services, specifically in the event processor of the Carbon console. Although the SameSite=Lax cookie attribute is used as a mitigation, it is ineffective in this context because it allows cookies to be sent with cross-origin top-level navigations using GET requests. A malicious actor can exploit this vulnerability by tricking an authenticated user into visiting a crafted link, leading the browser to issue unintended state-changing requests. Successful exploitation could result in unauthorized operations such as data modification, account changes, or other administrative actions. According to WSO2 Secure Production Guidelines, exposure of Carbon console services to untrusted networks is discouraged, which may reduce the impact in properly secured deployments.

NVD status

Status: Analyzed — CVE has had analysis completed and all data associations made.
Source: ed10eef1-636d-4fbe-9993-6890dfa878f8
NVD: View on NVD

Affected products (CPE)

Product	CPE
wso2 / api control plane	`cpe:2.3:a:wso2:api_control_plane:4.5.0:-::::::`
wso2 / api control plane	`cpe:2.3:a:wso2:api_control_plane:4.6.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:3.1.0:::::::*`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:3.2.0:::::::*`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:3.2.1:::::::*`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.0.0:::::::*`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.1.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.2.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.3.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.4.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.5.0:-::::::`
wso2 / api manager	`cpe:2.3:a:wso2:api_manager:4.6.0:-::::::`
wso2 / enterprise integrator	`cpe:2.3:a:wso2:enterprise_integrator:6.6.0:::::::*`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:5.10.0:::::::*`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:5.11.0:::::::*`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:6.0.0:-::::::`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:6.1.0:-::::::`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:7.0.0:-::::::`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:7.1.0:-::::::`
wso2 / identity server	`cpe:2.3:a:wso2:identity_server:7.2.0:::::::*`
wso2 / identity server as key manager	`cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:::::::*`
wso2 / open banking am	`cpe:2.3:a:wso2:open_banking_am:2.0.0:::::::*`
wso2 / open banking iam	`cpe:2.3:a:wso2:open_banking_iam:2.0.0:::::::*`
wso2 / traffic manager	`cpe:2.3:a:wso2:traffic_manager:4.5.0:::::::*`
wso2 / traffic manager	`cpe:2.3:a:wso2:traffic_manager:4.6.0:::::::*`
wso2 / universal gateway	`cpe:2.3:a:wso2:universal_gateway:4.5.0:::::::*`
wso2 / universal gateway	`cpe:2.3:a:wso2:universal_gateway:4.6.0:::::::*`