Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2...

6.1 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Description

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.

Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.

Basic Information

ID CVE-2025-5770

Source WSO2

Published Nov 5, 2025 at 19:02

Modified Nov 5, 2025 at 20:13

Affected Product

Vendor WSO2

Product WSO2 Identity Server

Affected Versions WSO2 WSO2 Identity Server 6.0.0
WSO2 WSO2 Identity Server 6.1.0
WSO2 WSO2 Identity Server 7.0.0
WSO2 WSO2 Identity Server 7.1.0
WSO2 WSO2 API Manager 4.2.0
WSO2 WSO2 API Manager 4.3.0
WSO2 WSO2 API Manager 4.4.0
WSO2 WSO2 API Manager 4.5.0
WSO2 WSO2 API Control Plane 4.5.0

CWE Classification

CWE-79

References

security.docs.wso2.com /en/latest/security-announcements/security-advisories/2025/WSO2-2025-4270/

{
    "lastseen": "",
    "description": "A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.\n\nExploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim\u2019s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.",
    "published": "2025-11-05T19:02:48.434Z",
    "modified": "2025-11-05T20:13:05.330Z",
    "type": "cve",
    "title": "Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products",
    "source": "WSO2",
    "references": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4270/",
    "id": "CVE-2025-5770",
    "bulletinFamily": "",
    "cwe": [
        "CWE-79"
    ],
    "cvelist": null,
    "sourceData": "WSO2 WSO2 Identity Server 6.0.0\nWSO2 WSO2 Identity Server 6.1.0\nWSO2 WSO2 Identity Server 7.0.0\nWSO2 WSO2 Identity Server 7.1.0\nWSO2 WSO2 API Manager 4.2.0\nWSO2 WSO2 API Manager 4.3.0\nWSO2 WSO2 API Manager 4.4.0\nWSO2 WSO2 API Manager 4.5.0\nWSO2 WSO2 API Control Plane 4.5.0",
    "sourceHref": "",
    "cvss": {
        "score": 6.1,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "WSO2 Identity Server",
    "version": "0",
    "vendor": "WSO2",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products_CVE-2025-5770