Description
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.
CVSS breakdown
CVSS 3.1
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
Affected products
- WSO2 / WSO2 API Control Plane4.5.0 – 4.5.0.11
- WSO2 / WSO2 API Manager0 – 4.2.0
- WSO2 / WSO2 API Manager4.2.0 – 4.2.0.150
- WSO2 / WSO2 API Manager4.3.0 – 4.3.0.63
- WSO2 / WSO2 API Manager4.4.0 – 4.4.0.26
- WSO2 / WSO2 API Manager4.5.0 – 4.5.0.10
- WSO2 / WSO2 Identity Server6.0.0 – 6.0.0.247
- WSO2 / WSO2 Identity Server6.1.0 – 6.1.0.246
- WSO2 / WSO2 Identity Server7.0.0 – 7.0.0.122
- WSO2 / WSO2 Identity Server7.1.0 – 7.1.0.29
- WSO2 / WSO2 Identity Server0 – 6.0.0