{"id":24912,"date":"2025-11-05T14:44:04","date_gmt":"2025-11-05T14:44:04","guid":{"rendered":"http:\/\/localhost\/?p=24912"},"modified":"2025-11-05T14:44:04","modified_gmt":"2025-11-05T14:44:04","slug":"reflected-cross-site-scripting-xss-in-management-console-of-multiple-wso2-products-due-to-improper-o","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=24912","title":{"rendered":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853"},"content":{"rendered":"

{“lastseen”:””,”description”:”A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\\n\\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.”,”published”:”2025-11-05T19:21:32.971Z”,”modified”:”2025-11-05T19:58:21.875Z”,”type”:”cve”,”title”:”Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding”,”source”:”WSO2″,”references”:”https:\/\/security.docs.wso2.com\/en\/latest\/security-announcements\/security-advisories\/2025\/WSO2-2025-4486\/”,”id”:”CVE-2025-10853″,”bulletinFamily”:””,”cwe”:[“CWE-79″],”cvelist”:null,”sourceData”:”WSO2 WSO2 Open Banking IAM 2.0.0\\nWSO2 WSO2 API Manager 3.1.0\\nWSO2 WSO2 API Manager 3.2.0\\nWSO2 WSO2 API Manager 3.2.1\\nWSO2 WSO2 API Manager 4.0.0\\nWSO2 WSO2 API Manager 4.1.0\\nWSO2 WSO2 API Manager 4.2.0\\nWSO2 WSO2 API Manager 4.3.0\\nWSO2 WSO2 API Manager 4.4.0\\nWSO2 WSO2 API Manager 4.5.0\\nWSO2 WSO2 Identity Server 5.10.0\\nWSO2 WSO2 Identity Server 5.11.0\\nWSO2 WSO2 Identity Server 6.0.0\\nWSO2 WSO2 Identity Server 6.1.0\\nWSO2 WSO2 Identity Server 7.0.0\\nWSO2 WSO2 Identity Server 7.1.0\\nWSO2 WSO2 Open Banking AM 2.0.0\\nWSO2 WSO2 Identity Server as Key Manager 5.10.0\\nWSO2 WSO2 Enterprise Integrator 6.6.0\\nWSO2 WSO2 API Control Plane 4.5.0\\nWSO2 WSO2 Universal Gateway 4.5.0\\nWSO2 WSO2 Traffic Manager 4.5.0\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.32\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.35\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.39\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.7.51\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.3\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.13\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.32\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.36\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui 4.8.43\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.24\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.32\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.33\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.35\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.39\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.7.51\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.3\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.9\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.12\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.13\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.24\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.32\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.36\\nWSO2 org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui 4.8.43\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.19\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.21\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.28\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.30\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.32\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.33\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.34\\nWSO2 org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui 4.8.35\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.2\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.111\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.176\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.4.180\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.9.6\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.16\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.19\\nWSO2 org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui 6.13.27″,”sourceHref”:””,”cvss”:{“score”:5.2,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:A\/AC:L\/PR:N\/UI:R\/S:C\/C:L\/I:L\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:””,”category_name”:”CVE”,”post_link”:””,”product”:”WSO2 Open Banking IAM”,”version”:”0″,”vendor”:”WSO2″,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:””,”description”:”A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[2],"tags":[6,8,156,12,21,13,7,11,5],"class_list":["post-24912","post","type-post","status-publish","format-standard","hentry","category-category_cve","tag-cve","tag-cvss","tag-cvss-52","tag-exploit","tag-medium","tag-news","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\nReflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=24912\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:””,”description”:”A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters,...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=24912\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-11-05T14:44:04+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853\",\"datePublished\":\"2025-11-05T14:44:04+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912\"},\"wordCount\":771,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-5.2\",\"exploit\",\"MEDIUM\",\"news\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_cve\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=24912#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912\",\"name\":\"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-11-05T14:44:04+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=24912\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=24912#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=24912","og_locale":"en_US","og_type":"article","og_title":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem","og_description":"{“lastseen”:””,”description”:”A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters,...","og_url":"https:\/\/zero.redgem.net\/?p=24912","og_site_name":"zero redgem","article_published_time":"2025-11-05T14:44:04+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=24912#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=24912"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853","datePublished":"2025-11-05T14:44:04+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=24912"},"wordCount":771,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-5.2","exploit","MEDIUM","news","Security","tapic","Vulnerability"],"articleSection":["category_cve"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=24912#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=24912","url":"https:\/\/zero.redgem.net\/?p=24912","name":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-11-05T14:44:04+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=24912#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=24912"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=24912#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding_CVE-2025-10853"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/24912","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=24912"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/24912\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=24912"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=24912"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=24912"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}