CVE-2025-5770 | THREATINT

Description

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.

PUBLISHED Reserved 2025-06-06 | Published 2025-11-05 | Updated 2025-11-05 | Assigner WSO2

MEDIUM: 6.1CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Problem types

CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

Product status

Default status

unaffected

Any version before 6.0.0

unknown

6.0.0 (custom) before 6.0.0.247

affected

6.1.0 (custom) before 6.1.0.246

affected

7.0.0 (custom) before 7.0.0.122

affected

7.1.0 (custom) before 7.1.0.29

affected

Default status

unaffected

Any version before 4.2.0

unknown

4.2.0 (custom) before 4.2.0.150

affected

4.3.0 (custom) before 4.3.0.63

affected

4.4.0 (custom) before 4.4.0.26

affected

4.5.0 (custom) before 4.5.0.10

affected

Default status

unaffected

4.5.0 (custom) before 4.5.0.11

affected

Credits

crnković reporter

References

security.docs.wso2.com/...ty-advisories/2025/WSO2-2025-4270/ vendor-advisory

cve.org (CVE-2025-5770)

nvd.nist.gov (CVE-2025-5770)

Download JSON