Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2...

5.2 / 10

MEDIUM

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.

Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Basic Information

ID CVE-2025-10853

Source WSO2

Published Nov 5, 2025 at 19:21

Modified Nov 5, 2025 at 19:58

Affected Product

Vendor WSO2

Product WSO2 Open Banking IAM

Affected Versions WSO2 WSO2 Open Banking IAM 2.0.0
WSO2 WSO2 API Manager 3.1.0
WSO2 WSO2 API Manager 3.2.0
WSO2 WSO2 API Manager 3.2.1
WSO2 WSO2 API Manager 4.0.0
WSO2 WSO2 API Manager 4.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 Identity Server 5.10.0
WSO2 WSO2 Identity Server 5.11.0
WSO2 WSO2 Identity Server 6.0.0
WSO2 WSO2 Identity Server 6.1.0
WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Identity Server 7.1.0
WSO2 WSO2 Open Banking AM 2.0.0
WSO2 WSO2 Identity Server as Key Manager 5.10.0
WSO2 WSO2 Enterprise Integrator 6.6.0
WSO2 WSO2 API Control Plane 4.5.0
WSO2 WSO2 Universal Gateway 4.5.0
WSO2 WSO2 Traffic Manager 4.5.0
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.32
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.35
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.39
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.51
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.3
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.13
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.32
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.36
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.43
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.24
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.32
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.33
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.35
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.39
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.51
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.3
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.9
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.12
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.13
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.24
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.32
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.36
WSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.43
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.19
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.21
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.28
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.30
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.32
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.33
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.34
WSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.35
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.2
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.111
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.176
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.180
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.9.6
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.16
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.19
WSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.27

CWE Classification

CWE-79

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/

{
    "lastseen": "",
    "description": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\n\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.",
    "published": "2025-11-05T19:21:32.971Z",
    "modified": "2025-11-05T19:58:21.875Z",
    "type": "cve",
    "title": "Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/",
    "id": "CVE-2025-10853",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Open Banking IAM 2.0.0\nWSO2 WSO2 API Manager 3.1.0\nWSO2 WSO2 API Manager 3.2.0\nWSO2 WSO2 API Manager 3.2.1\nWSO2 WSO2 API Manager 4.0.0\nWSO2 WSO2 API Manager 4.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 Identity Server 5.10.0\nWSO2 WSO2 Identity Server 5.11.0\nWSO2 WSO2 Identity Server 6.0.0\nWSO2 WSO2 Identity Server 6.1.0\nWSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Identity Server 7.1.0\nWSO2 WSO2 Open Banking AM 2.0.0\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\nWSO2 WSO2 Enterprise Integrator 6.6.0\nWSO2 WSO2 API Control Plane 4.5.0\nWSO2 WSO2 Universal Gateway 4.5.0\nWSO2 WSO2 Traffic Manager 4.5.0\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.32\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.35\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.39\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.51\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.3\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.13\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.32\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.36\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.43\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.24\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.32\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.33\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.35\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.39\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.51\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.3\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.9\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.12\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.13\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.24\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.32\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.36\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.43\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.19\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.21\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.28\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.30\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.32\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.33\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.34\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.35\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.2\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.111\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.176\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.180\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.9.6\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.16\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.19\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.27",
    "sourceHref": "",
    "cvss": {
        "score": 5.2,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Open Banking IAM",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853