Reflected Cross-Site Scripting Vulnerability in WSO2 Authentication Endpoint
CVE-2024-5962

6.1MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Api Manager; Wso2 Identity Server
Vendor: CVE Published:; 22 May 2025

What is CVE-2024-5962?

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of various WSO2 products due to inadequate output encoding of user-provided inputs. This oversight allows malicious actors to inject arbitrary JavaScript into the authentication process, which could lead to user interface manipulation, unwarranted redirections to harmful sites, or the extraction of sensitive data from the user's browser. Despite this risk, session-related cookies retain protection under the httpOnly flag, mitigating the potential for session hijacking.

Affected Version(s)

WSO2 API Manager 4.2.0 < 4.2.0.94

WSO2 API Manager 4.3.0 < 4.3.0.9

WSO2 Identity Server 6.0.0 < 6.0.0.199

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 22, 2025
Vulnerability Reserved
Jun 13, 2024

Wso2

What is CVE-2024-5962?

Affected Version(s)

References

CVSS V3.1

Timeline