A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser.

While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.
Fixes

Solution

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/#solution https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/#solution


Workaround

No workaround given by the vendor.

History

Thu, 22 May 2025 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 22 May 2025 18:45:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.
Title Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server 7.0.0 Sub-Organization Login Flow
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 4.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N'}


cve-icon MITRE

Status: PUBLISHED

Assigner: WSO2

Published:

Updated: 2025-05-22T18:48:11.459Z

Reserved: 2024-07-25T11:42:26.056Z

Link: CVE-2024-7103

cve-icon Vulnrichment

Updated: 2025-05-22T18:47:59.021Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2025-05-22T19:15:43.017

Modified: 2025-05-23T15:54:42.643

Link: CVE-2024-7103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.