CVE-2022-39810
CVE-2022-39810 is a medium-severity vulnerability in Wso2 Enterprise Integrator with a CVSS 3.x base score of 6.1. Its EPSS exploit-prediction score of 57% places it in the 99th percentile, indicating an elevated likelihood of exploitation. The underlying weakness is classified as CWE-79.
Key facts
- Severity: Medium (CVSS 3.x base score 6.1)
- EPSS exploit prediction: 57% (99th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-79
- Affected product: Wso2 Enterprise Integrator
- Published:
- Last modified:
Description
An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible.
Frequently asked questions
- What is CVE-2022-39810?
- An issue was discovered in WSO2 Enterprise Integrator 6.4.0. A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console under /carbon/ndatasource/validateconnection/ajaxprocessor.jsp via the driver parameter. Session hijacking or similar attacks would not be possible.
- How severe is CVE-2022-39810?
- CVE-2022-39810 has a CVSS 3.x base score of 6.1, rated medium severity. It is exploitable over network with low attack complexity, requires no privileges and user interaction. Impact on confidentiality is low, integrity low, and availability none.
- Is CVE-2022-39810 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 57% (99th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-39810?
- CVE-2022-39810 affects Wso2 Enterprise Integrator. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-39810?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-39810 published?
- CVE-2022-39810 was published on 2022-09-09 and last updated on 2026-06-17.
References
Affected products (1)
- cpe:2.3:a:wso2:enterprise_integrator:6.4.0:*:*:*:*:*:*:*
More vulnerabilities in Wso2 Enterprise Integrator
- CVE-2022-29464 — Critical (CVSS 9.8): Certain WSO2 products allow unrestricted file upload with resultant remote code execution. The attacker must use a…
- CVE-2025-9804 — Critical (CVSS 9.6): An improper access control vulnerability exists in multiple WSO2 products due to insufficient permission enforcement in…
- CVE-2025-6670 — High (CVSS 8.8): A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET…
- CVE-2020-24703 — High (CVSS 8.8): An issue was discovered in certain WSO2 products. A valid Carbon Management Console session cookie may be sent to an…
- CVE-2025-11093 — High (CVSS 8.4): An arbitrary code execution vulnerability exists in multiple WSO2 products due to insufficient restrictions in the…
- CVE-2025-10907 — High (CVSS 8.4): An arbitrary file upload vulnerability exists in multiple WSO2 products due to insufficient validation of uploaded…
All CVEs affecting Wso2 Enterprise Integrator →
Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities
- CVE-2025-49410 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Imran Emu TC…
- CVE-2024-47875 — Critical (CVSS 10.0): DOMPurify is a DOM-only, super-fast, uber-tolerant XSS sanitizer for HTML, MathML and SVG. DOMpurify was vulnerable to…
- CVE-2024-6886 — Critical (CVSS 10.0): Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Gitea…
- CVE-2023-45144 — Critical (CVSS 10.0): com.xwiki.identity-oauth:identity-oauth-ui is a package to aid in building identity and service providers based on…
- CVE-2023-45138 — Critical (CVSS 10.0): Change Request is an pplication allowing users to request changes on a wiki without publishing the changes directly.…
- CVE-2022-4361 — Critical (CVSS 10.0): Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerability in the…
Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →