CVE-2025-10853

Summary

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.

Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.413affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.344affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.445affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.65affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.365affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.227affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.167affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.79affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.43affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.26affected
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.373affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.417affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.247affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.246affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.122affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.29affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.393affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.363affected
WSO2WSO2 Enterprise Integrator0 < 6.6.0unknown
WSO2WSO2 Enterprise Integrator6.6.0 < 6.6.0.223affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.27affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.25affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.25affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.7.32 < 4.7.32.14affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.7.35 < 4.7.35.11affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.7.39 < 4.7.39.9affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.7.51 < 4.7.51.4affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.3 < 4.8.3.9affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.13 < 4.8.13.6affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.32 < 4.8.32.3affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.36 < 4.8.36.1affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.43 < 4.8.43.1affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.info.ui4.8.47 <= *unaffected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.24 < 4.7.24.7affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.32 < 4.7.32.14affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.33 < 4.7.33.13affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.35 < 4.7.35.11affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.39 < 4.7.39.9affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.7.51 < 4.7.51.4affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.3 < 4.8.3.9affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.9 < 4.8.9.5affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.12 < 4.8.12.5affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.13 < 4.8.13.6affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.24 < 4.8.24.3affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.32 < 4.8.32.3affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.36 < 4.8.36.1affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.43 < 4.8.43.1affected
WSO2org.wso2.carbon.registry:org.wso2.carbon.registry.resource.ui4.8.47 <= *unaffected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.19 < 4.8.19.5affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.21 < 4.8.21.9affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.28 < 4.8.28.3affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.30 < 4.8.30.3affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.32 < 4.8.32.1affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.33 < 4.8.33.3affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.34 < 4.8.34.3affected
WSO2org.wso2.carbon.governance:org.wso2.carbon.governance.wsdltool.ui4.8.35 <= *affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.4.2 < 6.4.2.165affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.4.111 < 6.4.111.155affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.4.176 < 6.4.176.28affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.4.180 < 6.4.180.12affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.9.6 < 6.9.6.26affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.13.16 < 6.13.16.19affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.13.19 < 6.13.19.12affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.13.27 < 6.13.27.5affected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui6.13.38 <= 6.13.*unaffected
WSO2org.wso2.carbon.identity.inbound.auth.oauth2:org.wso2.carbon.identity.oauth.ui7.0.349 <= *unaffected

Weaknesses

  • CWE-79: CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References