CVE-2021-36760

Name of the Vulnerable Software and Affected Versions WSO2 Identity Server version 5.7.0

Description A DOM-Based XSS attack is possible in the account recovery endpoint, affecting the callback parameter by modifying the URL that precedes it. Once the username or password reset procedure is completed, the JavaScript code will be executed. Additionally, there is an open redirect issue in the recoverpassword.do endpoint for a similar reason.

Recommendations For WSO2 Identity Server version 5.7.0, consider disabling the recoverpassword.do endpoint until a patch is available to prevent potential DOM-Based XSS attacks. Restrict access to the accountrecoveryendpoint to minimize the risk of exploitation. Avoid using the callback parameter in the affected endpoint until the issue is resolved.