CVE-2025-6024

Vulnerability

Overview

The authentication endpoint in multiple WSO2 products fails to encode user-supplied input before rendering it in the web page, leading to a reflected cross-site scripting (XSS) vulnerability [1]. This occurs because the application does not properly sanitize or escape input that is reflected back to the user's browser, allowing an attacker to inject arbitrary HTML or JavaScript [1].

Exploitation

An attacker can exploit this by crafting a malicious URL containing a script payload and tricking a user into clicking it. No authentication is required to trigger the vulnerability, but user interaction is necessary (e.g., clicking a link). The injected script executes in the context of the affected WSO2 endpoint, enabling the attacker to manipulate the page content, redirect the browser, or retrieve information from the user's browser [1].

Impact

Successful exploitation allows an attacker to perform actions such as redirecting the user to a malicious site, altering the UI of the authentication page, or stealing non-sensitive browser data. However, because all session-related cookies are set with the httpOnly flag, session hijacking or similar attacks are not possible [1]. The CVSS score of 6.1 (Medium) reflects the limited impact on confidentiality and integrity due to the httpOnly protection [1].

Mitigation

WSO2 has released updates for all affected product versions. Users should migrate to the latest unaffected version or apply the specified update level for their product. For example, WSO2 API Manager 4.1.0 requires update level 238, and WSO2 Identity Server 5.11.0 requires update level 405 [1]. No workaround is provided; updating is the recommended solution.