6.1

CVE-2025-6024

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection.
An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD
Diese Information steht angemeldeten Benutzern zur Verfügung. Login Login
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
HerstellerWSO2
Produkt WSO2 API Manager
Default Statusunaffected
Version < 3.1.0
Version 0
Status unknown
Version < 3.1.0.351
Version 3.1.0
Status affected
Version < 3.2.0.455
Version 3.2.0
Status affected
Version < 3.2.1.74
Version 3.2.1
Status affected
Version < 4.0.0.375
Version 4.0.0
Status affected
Version < 4.1.0.238
Version 4.1.0
Status affected
HerstellerWSO2
Produkt WSO2 Identity Server
Default Statusunaffected
Version < 5.10.0
Version 0
Status unknown
Version < 5.10.0.360
Version 5.10.0
Status affected
Version < 5.11.0.405
Version 5.11.0
Status affected
Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.03% 0.084
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
ed10eef1-636d-4fbe-9993-6890dfa878f8 6.1 2.8 2.7
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.