6.1
CVE-2025-6024
- EPSS 0.23%
- Veröffentlicht 16.04.2026 10:16:14
- Zuletzt bearbeitet 23.04.2026 15:35:04
- Quelle ed10eef1-636d-4fbe-9993-6890df
- CVE-Watchlists
- Unerledigt
Cross-Site Scripting via Authentication Endpoint in Multiple WSO2 Products Allows Redirection to Malicious Websites
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
Wso2 ≫ Api Manager Version3.1.0
Wso2 ≫ Api Manager Version3.2.0
Wso2 ≫ Api Manager Version3.2.1
Wso2 ≫ Api Manager Version4.0.0
Wso2 ≫ Api Manager Version4.1.0 Update-
Wso2 ≫ Identity Server Version5.10.0
Wso2 ≫ Identity Server Version5.11.0
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.23% | 0.135 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| ed10eef1-636d-4fbe-9993-6890dfa878f8 | 6.1 | 2.8 | 2.7 |
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
|
CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4251/