PT-2026-33305 · Wso2 · Wso2 Api Manager+3
Published
2026-04-16
·
Updated
2026-04-16
·
CVE-2025-6024
CVSS v3.1
6.1
Medium
| Vector | AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
The product name cannot be determined (affected versions not specified)
Description
The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can inject malicious scripts into the authentication endpoint, which may lead to the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. Session hijacking is not possible because the httpOnly flag protects session-related cookies.
Recommendations
At the moment, there is no information about a newer version that contains a fix for this vulnerability.
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Wso2 Api Manager
Wso2 Identity Server
Aimanager
Identityserver