Description
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to improper input validation. User-supplied data is directly included in server responses from vulnerable service endpoints without proper sanitization or encoding, allowing an attacker to inject malicious JavaScript. Successful exploitation could lead to UI manipulation, redirection to malicious websites, or data exfiltration from the browser. While session-related sensitive cookies are protected with the httpOnly flag, mitigating session hijacking risks, the impact may vary depending on gateway-level service restrictions.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 API Manager0 – 3.1.0
- WSO2 / WSO2 API Manager3.1.0 – 3.1.0.285
- WSO2 / WSO2 API Manager3.2.0 – 3.2.0.375
- WSO2 / WSO2 API Manager3.2.1 – 3.2.1.10
- WSO2 / WSO2 API Manager4.0.0 – 4.0.0.300
- WSO2 / WSO2 API Manager4.1.0 – 4.1.0.160
- WSO2 / WSO2 API Manager4.2.0 – 4.2.0.92
- WSO2 / WSO2 API Manager4.3.0 – 4.3.0.10
- WSO2 / WSO2 Open Banking AM0 – 2.0.0
- WSO2 / WSO2 Open Banking AM2.0.0 – 2.0.0.349