Miggo Logo
Miggo Vulnerability Database
CVE-2023-6835

CVE-2023-6835: WSO2 API Manager allows attackers to change the API rating

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-6835
GHSA ID
GHSA-w7rx-824v-rgx5
EPSS Score
0.47849%
CWE
CWE-20
Published
12/15/2023
Updated
12/28/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.wso2.carbon.apimgt:forummaven<= 9.0.78

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The GitHub commit diff explicitly shows the vulnerable rateTopic function was modified to add input validation for the rating parameter. Prior to this patch, there was no server-side validation of the rating value, enabling manipulation. The CVE description confirms this lack of validation in the Forum feature's API rating mechanism. No other functions show direct evidence of vulnerability in the provided materials.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Multipl* WSO* pro*u*ts **v* ***n i**nti*i** *s vuln*r**l* *u* to l**k o* s*rv*r-si** input v*li**tion in t** *orum ***tur*, *PI r*tin* *oul* ** m*nipul*t**.

Reasoning

T** *it*u* *ommit *i** *xpli*itly s*ows t** vuln*r**l* `r*t*Topi*` *un*tion w*s mo*i*i** to *** input v*li**tion *or t** r*tin* p*r*m*t*r. Prior to t*is p*t**, t**r* w*s no s*rv*r-si** v*li**tion o* t** r*tin* v*lu*, *n**lin* m*nipul*tion. T** *V* **