CVE-2025-8591

Summary

The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application.

By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.381affected
WSO2WSO2 Identity Server5.10.0 < 5.10.0.384affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.255affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.131affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.21affected
WSO2WSO2 Identity Server7.1.0 < 7.1.0.51affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.355affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.459affected
WSO2WSO2 API Manager3.2.1 < 3.2.1.78affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.380affected
WSO2WSO2 API Manager4.1.0 < 4.1.0.243affected
WSO2WSO2 API Manager4.2.0 < 4.2.0.183affected
WSO2WSO2 API Manager4.3.0 < 4.3.0.94affected
WSO2WSO2 API Manager4.4.0 < 4.4.0.58affected
WSO2WSO2 API Manager4.5.0 < 4.5.0.43affected
WSO2WSO2 API Manager4.6.0 < 4.6.0.7affected
WSO2WSO2 API Control Plane4.5.0 < 4.5.0.44affected
WSO2WSO2 API Control Plane4.6.0 < 4.6.0.8affected
WSO2WSO2 Traffic Manager4.5.0 < 4.5.0.42affected
WSO2WSO2 Traffic Manager4.6.0 < 4.6.0.7affected
WSO2WSO2 Universal Gateway4.5.0 < 4.5.0.42affected
WSO2WSO2 Universal Gateway4.6.0 < 4.6.0.7affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.404affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.375affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.424affected

Weaknesses

  • CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References