DOM-Based XSS Vulnerability in WSO2 Identity Server
CVE-2021-36760

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Identity Server; Identity Server As Key Manager; Api Manager; Iot Server
Vendor: CVE Published:; 7 December 2021

What is CVE-2021-36760?

A DOM-Based XSS vulnerability exists in the account recovery functionality of WSO2 Identity Server 5.7.0. This flaw allows attackers to manipulate the callback parameter in the 'recoverpassword.do' endpoint, which can lead to the execution of malicious JavaScript code after a user initiates a username or password reset. Additionally, the endpoint has an open redirect issue that may further facilitate exploitation. This poses a significant risk as it could result in unauthorized access to sensitive user data.

References

https://docs.wso2.com/display/Security/2021+Advisories

x_refsource_MISC

https://docs.wso2.com/display/Security/Security+Advisory+...

x_refsource_MISC

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 7, 2021
Vulnerability Reserved
Jul 16, 2021

Wso2

What is CVE-2021-36760?

References

CVSS V3.1

Timeline