6.1
CVE-2025-10853
- EPSS 0.03%
- Veröffentlicht 05.11.2025 19:21:32
- Zuletzt bearbeitet 13.11.2025 15:31:45
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
LoginDaten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Control Plane Version4.5.0 Update-
Wso2 ≫ Api Manager Version3.1.0
Wso2 ≫ Api Manager Version3.2.0
Wso2 ≫ Api Manager Version3.2.1
Wso2 ≫ Api Manager Version4.0.0
Wso2 ≫ Api Manager Version4.1.0 Update-
Wso2 ≫ Api Manager Version4.2.0 Update-
Wso2 ≫ Api Manager Version4.3.0 Update-
Wso2 ≫ Api Manager Version4.4.0 Update-
Wso2 ≫ Api Manager Version4.5.0 Update-
Wso2 ≫ Enterprise Integrator Version6.6.0
Wso2 ≫ Identity Server Version5.10.0
Wso2 ≫ Identity Server Version5.11.0
Wso2 ≫ Identity Server Version6.0.0 Update-
Wso2 ≫ Identity Server Version6.1.0 Update-
Wso2 ≫ Identity Server Version7.0.0 Update-
Wso2 ≫ Identity Server Version7.1.0 Update-
Wso2 ≫ Identity Server As Key Manager Version5.10.0
Wso2 ≫ Open Banking Am Version2.0.0
Wso2 ≫ Open Banking Iam Version2.0.0
Wso2 ≫ Traffic Manager Version4.5.0
Wso2 ≫ Universal Gateway Version4.5.0
| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.03% | 0.084 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| nvd@nist.gov | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 5.2 | 2.1 | 2.7 |
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.