CVE-2024-7103

Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server 7.0.0 Sub-Organization Login Flow

CVSS 4.6 MEDIUMEPSS 0.2%CWE-79

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 4.6EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

22 may 2025Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Productos afectados

WSO2 · WSO2 Identity Server

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/