The host is installed with WSO2 API Manager version before 2.6.0 and is prone to a cross-site scripting vulnerability. A flaw is present in the applications which fails to properly handle a crafted filename to the file-upload feature of the event simulator component. Successful exploitation allows attackers to cause unspecified impact.