Impact
The flaw allows an attacker to inject malicious script into a page by passing crafted data through a URL parameter that the application reflects without proper output encoding. This results in a classic reflected Cross‑Site Scripting (XSS) attack, which can push the victim’s browser to a malicious site, alter page content, or read and transmit information from the user’s session. The vulnerability does not compromise authentication tokens directly because session cookies are protected with httpOnly flags, so the primary impact is client‑side manipulation and potential data theft rather than server‑side credential compromise.
Affected Systems
All variants of WSO2 API Control Plane, WSO2 API Manager, WSO2 Identity Server (including Key Manager), WSO2 Open Banking AM, WSO2 Open Banking IAM, WSO2 Traffic Manager, and WSO2 Universal Gateway are affected. No specific version range is listed, so any released version of these products prior to the advisory’s fix is considered vulnerable.
Risk and Exploitability
The CVSS score of 6.1 indicates moderate severity. Because the EPSS score is not available and the vulnerability is not listed in CISA’s KEV catalog, the likelihood of widespread exploitation is uncertain, but reflected XSS is a well‑known attack method that can be automated. The most likely attack vector is through a maliciously crafted URL that a user might click or otherwise be exposed to, resulting in client‑side compromise and data leakage. The impact is limited to the victim who accesses the vulnerable page and does not inherently allow remote code execution on the server.
OpenCVE Enrichment