Back to overview

CVE-2025-8591

MEDIUM
6.1
CVSS 3.1
Description
The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application. By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.

Metadata

CVE ID
CVE-2025-8591
State
PUBLISHED
Assigner
WSO2
Reserved
2025-08-05 11:53 UTC
Published
2026-07-06 10:16 UTC
Last updated
2026-07-06 11:05 UTC
Primary CWE
CWE-79
CWE-79: Improper Neutralization of Input During Web Page Gen…
Vendor / Product
WSO2 / WSO2 Identity Server
Sources
cve.org  ·  NVD

Severity & Metrics

6.1 MEDIUM CVSS 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SSVC — CISA Coordinator
Exploitation
none
Automatable
no
Tech. Impact
partial
Affected products (8)
VendorProductPlatformVersions
WSO2 WSO2 API Control Plane 4.5.0 < 4.5.0.44, 4.6.0 < 4.6.0.8
WSO2 WSO2 API Manager 0 < 3.1.0, 3.1.0 < 3.1.0.355, 3.2.0 < 3.2.0.459, 3.2.1 < 3.2.1.78 …
WSO2 WSO2 Identity Server 0 < 5.10.0, 5.10.0 < 5.10.0.381, 5.10.0 < 5.10.0.384, 6.0.0 < 6.0.0.255 …
WSO2 WSO2 Identity Server as Key Manager 0 < 5.10.0, 5.10.0 < 5.10.0.375
WSO2 WSO2 Open Banking AM 0 < 2.0.0, 2.0.0 < 2.0.0.404
WSO2 WSO2 Open Banking IAM 0 < 2.0.0, 2.0.0 < 2.0.0.424
WSO2 WSO2 Traffic Manager 4.5.0 < 4.5.0.42, 4.6.0 < 4.6.0.7
WSO2 WSO2 Universal Gateway 4.5.0 < 4.5.0.42, 4.6.0 < 4.6.0.7
Weakness (CWE)
CWESourceDescription
CWE-79 cna CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.1 MEDIUM 3.1 cna CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Back to overview