Western Shyna

**Name of the Vulnerable Software and Affected Versions** WSO2 Identity Server version 7.0.0 **Description** A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow due to improper input validation. This allows a malicious actor to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. However, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking. **Recommendations** For WSO2 Identity Server version 7.0.0, consider implementing proper input validation in the sub-organization login flow to prevent arbitrary JavaScript injection. As a temporary workaround, restrict access to the sub-organization login flow to minimize the risk of exploitation.