CVE-2024-6914

Published May 22, 2025

Last updated 7 months ago

CVSS critical 9.8
Business logic

Overview

Description
An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious actor can exploit this vulnerability to reset the password of any user account, leading to a complete account takeover, including accounts with elevated privileges. This vulnerability is exploitable only through the account recovery SOAP admin services exposed via the "/services" context path in affected products. The impact may be reduced if access to these endpoints has been restricted based on the "Security Guidelines for Production Deployment" by disabling exposure to untrusted networks.
Source
ed10eef1-636d-4fbe-9993-6890dfa878f8
NVD status
Analyzed
Products
api_manager, identity_server, identity_server_as_key_manager, open_banking_am, open_banking_iam, open_banking_km

Risk scores

CVSS 3.1

Type
Secondary
Base score
9.8
Impact score
5.9
Exploitability score
3.9
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Severity
CRITICAL

Weaknesses

ed10eef1-636d-4fbe-9993-6890dfa878f8
CWE-863

Social media

Hype score
Not currently trending

  1. برای محصول WSO2 ، آسیب پذیری با کد شناسایی CVE-2024-6914 و با نمره 9.8 منتشر شده است. هکرها می توانند با ارسال درخواست از نوع SOAP , پسورد هر یوزری حتی یوزر administrator را نی

    @AmirHossein_sec

    27 May 2025

    54 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Warning: A critical authorization flaw in #WSO2 (CVE-2024-6914, CVSS 9.8) allows attackers full control of accounts. Do NOT delay—restrict access from untrusted networks and apply patches immediately. Follow vendor guidelines now: https://t.co/jShrwwm5Qp #CyberSecurity #Patch

    @CCBalert

    26 May 2025

    145 Impressions

    1 Retweet

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  3. CVE-2024-6914 An incorrect authorization vulnerability exists in multiple WSO2 products due to a business logic flaw in the account recovery-related SOAP admin service. A malicious a… https://t.co/uf1dfAulZw

    @CVEnew

    22 May 2025

    294 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  4. [CVE-2024-6914: CRITICAL] Critical authorization flaw found in WSO2 products' account recovery SOAP admin service allows attackers to reset passwords & take over accounts. Secure against exposure to untrusted ...#cve,CVE-2024-6914,#cybersecurity https://t.co/516XCUVSwe https:

    @CveFindCom

    22 May 2025

    24 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

Configurations

Related CVEs

  1. Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain access to protected resources through the use of existing, unexpired access tokens. This creates a security gap where access control policies are bypassed, potentially leading to unauthorized data access or actions until the tokens naturally expire.CVE-2025-12624
  2. The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.CVE-2025-6024
  3. The component accepts XML input through the publisher without disabling external entity resolution. This allows malicious actors to submit a crafted XML payload that exploits the unescaped external entity references. By leveraging this vulnerability, a malicious actor can read confidential files from the product's file system or access limited HTTP resources reachable via HTTP GET requests to the vulnerable product.CVE-2024-8010
  4. The WSO2 API Manager developer portal accepts user-supplied input without enforcing expected validation constraints or proper output encoding. This deficiency allows a malicious actor to inject script content that is executed within the context of a user's browser. By leveraging this cross-site scripting vulnerability, a malicious actor can cause the browser to redirect to a malicious website, make changes to the UI of the web page, or retrieve information from the browser. However, session hijacking is not possible as all session-related sensitive cookies are protected by the httpOnly flag.CVE-2024-4867
  5. The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser. Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.CVE-2024-10242

References

Sources include official advisories and independent security research.