CVE-2025-10853
published 2025-11-05CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering…
PriorityP426medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EPSS
0.16%
5.5th percentile
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.
Affected
83 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| wso2 | api_control_plane | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | api_manager | — | — |
| wso2 | enterprise_integrator | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server | — | — |
| wso2 | identity_server_as_key_manager | — | — |
| wso2 | open_banking_am | — | — |
| wso2 | open_banking_iam | — | — |
| wso2 | org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui | >= 4.8.19 < 4.8.19.5 | 4.8.19.5 |
| wso2 | org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui | >= 4.8.21 < 4.8.21.9 | 4.8.21.9 |
| wso2 | org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui | >= 4.8.28 < 4.8.28.3 | 4.8.28.3 |
| wso2 | org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui | >= 4.8.30 < 4.8.30.3 | 4.8.30.3 |
| wso2 | org.wso2.carbon.governance_org.wso2.carbon.governance.wsdltool.ui | >= 4.8.32 < 4.8.32.1 | 4.8.32.1 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
2025-11-05
Published