Cross-Site Scripting Vulnerability in WSO2 API Management Software
CVE-2025-8591

6.1MEDIUM

What is CVE-2025-8591?

The WSO2 API Management software accepts user-supplied input through URL parameters without proper output encoding, allowing attackers to inject malicious scripts. This vulnerability can lead to a variety of issues, including the ability for an attacker to redirect users to harmful websites, alter the visual display of the application, or access sensitive information from the user's browser. While the risk is somewhat alleviated due to the implementation of httpOnly flags on session cookies, adequate security measures are still critical to prevent such script injections.

Affected Version(s)

WSO2 API Control Plane 4.5.0 < 4.5.0.44

WSO2 API Control Plane 4.6.0 < 4.6.0.8

WSO2 API Manager 3.1.0 < 3.1.0.355

References

CVSS V3.1

Score:
6.1
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.