Skip to main content

WSO2 Identity Server CVE-2025-8591

| EUVDEUVD-2025-210428 MEDIUM
Cross-site Scripting (XSS) (CWE-79)
2026-07-06 WSO2 GHSA-gqrf-mwwc-fmq5
6.1
CVSS 3.1 · Vendor: WSO2
Share

Severity by source

Vendor (WSO2) PRIMARY
6.1 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
vuln.today AI
6.1 MEDIUM

Network-delivered reflected XSS, no attacker privileges needed, mandatory user click (UI:R), scope change crosses into browser context; confidentiality and integrity limited by httpOnly session cookies.

3.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (WSO2).

CVSS VectorVendor: WSO2

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Patch available
Jul 06, 2026 - 12:01 EUVD
Analysis Generated
Jul 06, 2026 - 11:04 vuln.today

DescriptionCVE.org

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application.

By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.

AnalysisAI

Reflected cross-site scripting across at least eight WSO2 platform products - including Identity Server, API Manager, API Control Plane, Traffic Manager, Universal Gateway, Open Banking AM/IAM, and Identity Server as Key Manager - allows unauthenticated remote attackers to inject arbitrary script via unsanitized URL parameters. An attacker who tricks an authenticated user into clicking a crafted link can redirect the victim to a malicious site, tamper with rendered page content, or exfiltrate non-session browser data; partial mitigation is provided by httpOnly flags on session cookies, which block direct session token theft. No public exploit identified at time of analysis; WSO2 self-reported the issue and published advisory WSO2-2025-4343.

Technical ContextAI

CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) describes the root cause: user-controlled data from a URL query parameter is reflected into the HTTP response without adequate output encoding, allowing the browser to interpret attacker-supplied content as executable script rather than inert text. The scope-changed CVSS vector (S:C) correctly captures the trust-boundary crossing inherent in XSS: the exploit executes in the victim's browser security context rather than the server's. All eight affected products are WSO2's Java-based middleware stack covering IAM, API gateway, and open banking compliance roles. The CPE strings (cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:* and siblings) use wildcards, indicating no specific version bound has been published in NVD at time of analysis. The httpOnly cookie flag - a server-set HTTP attribute preventing JavaScript access to cookies - is confirmed as a partial control, specifically blocking the most common XSS post-exploitation step of session token theft.

RemediationAI

Consult WSO2 security advisory WSO2-2025-4343 at https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4343/ for specific patched version numbers and upgrade instructions - exact fix versions are not independently confirmed in available NVD data and should not be inferred. For deployments where immediate patching is not feasible, consider deploying a Web Application Firewall (WAF) rule to strip or reject reflected script-bearing query parameters on the affected endpoints, noting that WAF bypass is a known risk and this is not a substitute for patching. Additionally, validate that httpOnly and Secure flags are enforced on all session cookies across all eight product components, which limits but does not eliminate XSS impact. Restricting access to vulnerable endpoints at the network perimeter (e.g., limiting external internet exposure of Identity Server or API Manager admin/login surfaces) reduces the phishing attack surface but does not remediate the vulnerability for internal users.

CVE-2025-10470 HIGH
8.6 May 11

Memory exhaustion denial-of-service in WSO2 Identity Server's Magic Link authenticator allows remote unauthenticated att

CVE-2024-2374 HIGH
7.5 Apr 16

The XML parsers within multiple WSO2 products accept user-supplied XML data without properly configuring to prevent the

CVE-2025-10908 HIGH
7.3 May 11

Due to a lack of user account state validation during authentication, locked user accounts can be successfully authentic

CVE-2025-9973 MEDIUM
6.4 May 11

WSO2 Identity Server in multi-organization deployments fails to validate organization context during adaptive authentica

CVE-2025-10503 MEDIUM
6.1 Apr 29

The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a

CVE-2025-6024 MEDIUM
6.1 Apr 16

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script

CVE-2025-12624 MEDIUM
6.0 Apr 16

Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This fail

CVE-2024-1248 MEDIUM
5.3 Jul 04

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segrega

CVE-2024-0391 MEDIUM
5.3 May 11

The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker

CVE-2025-13475 HIGH
7.3 Jul 04

Cross-tenant consent leakage in WSO2 Identity Server and WSO2 API Manager multi-tenant deployments lets a SaaS applicati

Share

CVE-2025-8591 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy