Severity by source
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Network-delivered reflected XSS, no attacker privileges needed, mandatory user click (UI:R), scope change crosses into browser context; confidentiality and integrity limited by httpOnly session cookies.
Primary rating from Vendor (WSO2).
CVSS VectorVendor: WSO2
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application.
By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.
AnalysisAI
Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.
Technical ContextAI
CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) describes the root cause: user-controlled data from a URL query parameter is reflected into the HTTP response without adequate output encoding, allowing the browser to interpret attacker-supplied content as executable script rather than inert text. The scope-changed CVSS vector (S:C) correctly captures the trust-boundary crossing inherent in XSS: the exploit executes in the victim's browser security context rather than the server's. All eight affected products are WSO2's Java-based middleware stack covering IAM, API gateway, and open banking compliance roles. The CPE strings (cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:* and siblings) use wildcards, indicating no specific version bound has been published in NVD at time of analysis. The httpOnly cookie flag - a server-set HTTP attribute preventing JavaScript access to cookies - is confirmed as a partial control, specifically blocking the most common XSS post-exploitation step of session token theft.
RemediationAI
Consult WSO2 security advisory WSO2-2025-4343 at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4343/ for specific patched version numbers and upgrade instructions - exact fix versions are not independently confirmed in available NVD data and should not be inferred. For deployments where immediate patching is not feasible, consider deploying a Web Application Firewall (WAF) rule to strip or reject reflected script-bearing query parameters on the affected endpoints, noting that WAF bypass is a known risk and this is not a substitute for patching. Additionally, validate that httpOnly and Secure flags are enforced on all session cookies across all eight product components, which limits but does not eliminate XSS impact. Restricting access to vulnerable endpoints at the network perimeter (e.g., limiting external internet exposure of Identity Server or API Manager admin/login surfaces) reduces the phishing attack surface but does not remediate the vulnerability for internal users.
More in Wso2 Identity Server
View allMemory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated att
The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic
WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script
Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail
The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega
The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker
Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-210428
GHSA-gqrf-mwwc-fmq5