Reflected Cross-Site Scripting (XSS) in Multiple WSO2 Products via JDBC User Store Connection Validation
Description
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.
This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.carbon.identity.framework:org.wso2.carbon.identity.user.store.configuration.uiMaven | < 7.5.12 | 7.5.12 |
Affected products
4- Range: 5.14.127
- Range: 4.5.0
- WSO2/WSO2 Open Banking IAMv5Range: 2.0.0
- WSO2/WSO2 Universal Gatewayv5Range: 4.5.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xpxp-r8hf-wgf6ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-8008ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178/mitrevendor-advisory
- github.com/wso2/carbon-identity-framework/pull/5927ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178ghsaWEB
News mentions
0No linked articles in our index yet.