CVE-2024-0392

low-risk

Published 2025-02-27

A Cross-Site Request Forgery (CSRF) vulnerability exists in the management console of WSO2 Enterprise Integrator 6.6.0 due to the absence of CSRF token validation. This flaw allows attackers to craft malicious requests that can trigger state-changing operations on behalf of an authenticated user, potentially compromising account settings and data integrity. The vulnerability only affects a limited set of state-changing operations, and successful exploitation requires social engineering to trick a user with access to the management console into performing the malicious action.

Do I need to act?

0.27% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 5.4/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Enterprise Integrator

Affected Vendors

Wso2

References (1)

Vendor Advisory https://security.docs.wso2.com/en/latest/security-announcements/security-advisor...

/ 100

low-risk

Severity 21/34 · High

Exploitability 1/34 · Minimal

Exposure 5/34 · Minimal