CVE-2024-7103

Name of the Vulnerable Software and Affected Versions WSO2 Identity Server version 7.0.0

Description A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow due to improper input validation. This allows a malicious actor to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. However, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.

Recommendations For WSO2 Identity Server version 7.0.0, consider implementing proper input validation in the sub-organization login flow to prevent arbitrary JavaScript injection. As a temporary workaround, restrict access to the sub-organization login flow to minimize the risk of exploitation.