While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.
Metrics
Affected Vendors & Products
Solution
Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/#solution
Workaround
No workaround given by the vendor.
Thu, 22 May 2025 19:15:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 22 May 2025 18:45:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Description | A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking. | |
Title | Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server 7.0.0 Sub-Organization Login Flow | |
Weaknesses | CWE-79 | |
References |
| |
Metrics |
cvssV3_1
|

Status: PUBLISHED
Assigner: WSO2
Published:
Updated: 2025-05-22T18:48:11.459Z
Reserved: 2024-07-25T11:42:26.056Z
Link: CVE-2024-7103

Updated: 2025-05-22T18:47:59.021Z

Status : Awaiting Analysis
Published: 2025-05-22T19:15:43.017
Modified: 2025-05-23T15:54:42.643
Link: CVE-2024-7103

No data.

No data.