LiveActive security incident?Get immediate response
CVE Record

CVE-2025-13475: Cross-Tenant Access via Application Consent Mismanagement in Multiple WSO2 Products Allows Unauthorized Data Exposure

In multi-tenanted deployments, the application consent management mechanism fails to correctly isolate consent scopes between tenants. Consent granted by a user for a specific SaaS application within one tenant can be incorrectly applied to SaaS applications with the same name in other tenants, leading to unintended cross-tenant consent sharing. This vulnerability may result in the exposure of user data across tenants, enabling SaaS applications in different tenants to access and modify information without explicit user authorization. This can lead to unauthorized data access and privacy violations. This vulnerability has no impact if the deployment does not support multi-tenancy.

LowCVSS 3.5Not KEV-listedUpdated
Glexia's TakeAutomated analysislow

Security readout for executives and security teams

Plain-English summary

This is a low-severity WSO2 tenant-isolation issue. In multi-tenant deployments, consent given to a SaaS app in one tenant may be treated as consent for a same-named SaaS app in another tenant. That can expose user data across tenant boundaries without explicit authorization. Deployments without multi-tenancy are stated as unaffected.

Executive priority

Treat this as a targeted privacy and tenant-isolation issue, not a broad emergency. Prioritize organizations running multi-tenant WSO2 deployments, especially where tenant data separation is a contractual or regulatory requirement.

Technical view

The consent management mechanism does not correctly isolate consent scopes by tenant. With low-privileged access and user interaction, a SaaS application sharing a name across tenants may inherit consent intended for another tenant. CVSS is 3.5, with network attack vector, low complexity, low privileges, user interaction required, and low confidentiality impact.

Likely exposure

Exposure appears limited to multi-tenant WSO2 deployments using affected WSO2 Identity Server or WSO2 API Manager versions and SaaS applications with matching names across tenants. Single-tenant deployments are stated as not impacted.

Exploitation context

The bundle does not cite active exploitation, and KEV status is false. Exploitation would require a multi-tenant setup, relevant SaaS application consent flows, low privileges, and user interaction. Evidence is insufficient to claim public exploitation.

Researcher notes

The key research angle is consent scope isolation across tenant boundaries. Validate only whether consent for one tenant can affect a same-named SaaS application in another tenant. The source bundle does not provide patch details or exploitation evidence.

Mitigation direction

  • Review WSO2 advisory WSO2-2025-1613 for official remediation guidance.
  • Prioritize assessment of multi-tenant WSO2 environments first.
  • Identify same-named SaaS applications across tenants.
  • Review application consent configuration for unintended cross-tenant scope sharing.
  • Limit multi-tenancy exposure where it is not operationally required.

Validation and detection

  • Confirm whether the deployment supports multi-tenancy.
  • Inventory affected WSO2 Identity Server and API Manager versions.
  • Map SaaS application names across all tenants.
  • Review consent records for cross-tenant scope reuse.
  • Check whether any same-named SaaS apps can access unintended user data.
Prepared
Confidence
high
Sources
3

Generated from the cited source records. This long-tail analysis has not been individually reviewed by a named human.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-288: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2025-13475 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profileCVE Program record
Severity
Low
CVSS
3.5 (3.1)
Known Exploited
No
Published

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

1CVSS vectors
3Timeline events
1ADP providers
2Source links

SSVC decision data

CISA-ADPCISA Coordinator
Timestamp
Version
2.0.3
Exploitation: noneAutomatable: noTechnical Impact: partial

CVSS vector scores

1 official score

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

ScoreVersionSeverityVectorExploitImpactSource
3.5CVSS 3.1LowCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N2.11.4WSO2

Vulnerability scoring details

Base CVSS 3.1 score

3.5Low
CVSS 3.1 vector shape for CVE-2025-13475Attack VectorAttack ComplexityPrivileges RequiredUser InteractionScopeConfidentiality ImpactIntegrity ImpactAvailability Impact

Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Privileges Required
NoneLowHigh
User Interaction
NoneRequired
Scope
ChangedUnchanged
Confidentiality Impact
HighLowNone
Integrity Impact
HighLowNone
Availability Impact
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. CVE reservedCVE Program

    The CVE ID was reserved by the assigning CNA.

  2. CVE publishedCVE Program

    The CVE record was published.

  3. CVE updatedCVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADPCISA ADP Vulnrichment
other:ssvc
Affected products

Products and packages named in the record

VendorProductVersion / packageStatus
WSO2WSO2 Identity Server0, 5.10.0unaffected
WSO2WSO2 API Manager0, 3.2.0, 3.2.1unaffected
Weakness

CWE details

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-288 · source CWE mapping

Authentication Bypass Using an Alternate Path or Channel

Authentication Bypass Using an Alternate Path or Channel represents a recurring weakness pattern that can create exploitable paths when design, validation, or implementation controls are missing.