Description

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.

INFO

Published Date :

2025-11-05T19:02:48.434Z

Last Modified :

2025-11-05T20:13:05.330Z

Source :

WSO2
AFFECTED PRODUCTS

The following products are affected by CVE-2025-5770 vulnerability.

Vendors Products
Wso2
  • Api Control Plane
  • Api Manager
  • Identity Server
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-5770.

URL Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4270/ cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact