Wso2 Identity Server vulnerabilities
67 known vulnerabilities affecting wso2/identity_server.
Total CVEs
67
CISA KEV
1
actively exploited
Public exploits
10
Exploited in wild
4
Severity breakdown
CRITICAL7HIGH16MEDIUM43LOW1
Vulnerabilities
Page 3 of 4
CVE-2024-7096P4MEDIUMCVSS 5.4v5.2.0v5.3.0+12 more2025-05-30
CVE-2024-7096 [MEDIUM] CWE-863 CVE-2024-7096: A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw i
A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met:
* SOAP admin services are accessible to the attacker.
* The deployment includes an internally used attribute that
nvd
CVE-2023-6838P4MEDIUMCVSS 6.1v5.10.02023-12-15
CVE-2023-6838 [MEDIUM] CWE-79 CVE-2023-6838: Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endp
Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
nvd
CVE-2025-0209P4MEDIUMCVSS 6.1v7.0.02025-09-23
CVE-2025-0209 [MEDIUM] CWE-79 CVE-2025-0209: A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2
A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser.
This vuln
nvd
CVE-2024-5962P4MEDIUMCVSS 6.1v6.0.0v6.1.02025-05-22
CVE-2024-5962 [MEDIUM] CWE-79 CVE-2024-5962: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multip
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websi
nvd
CVE-2025-5770P4MEDIUMCVSS 6.1v6.0.0v6.1.0+2 more2025-11-05
CVE-2025-5770 [MEDIUM] CWE-79 CVE-2025-5770: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multi
A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.
Exploitation may result in redirec
nvd
CVE-2025-10503P4MEDIUMCVSS 6.1≥ 7.1.0, < 7.1.0.282026-04-29
CVE-2025-10503 [MEDIUM] CWE-79 CVE-2025-10503: The authentication endpoint accepts user-supplied input without enforcing expected validation constr
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting.
An attacker can leverage this vulnerability to redirect the user's browser to a malicious webs
nvd
CVE-2025-1396P4MEDIUMCVSS 5.3v5.10.0v5.11.0+2 more2025-09-26
CVE-2025-1396 [MEDIUM] CWE-203 CVE-2025-1396: A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is
A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based
nvd
CVE-2020-24706P4MEDIUMCVSS 6.1≤ 5.10.02020-08-27
CVE-2020-24706 [MEDIUM] CWE-79 CVE-2020-24706: An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager through 3.1.0, API Manager Analytics 2.5.0, IS as Key Manager through 5.10.0, Identity Server through 5.10.0, Identity Server Analytics through 5.6.0, and IoT Server 3.1.0.
nvd
CVE-2020-24704P4MEDIUMCVSS 6.1v5.5.0v5.8.02020-08-27
CVE-2020-24704 [MEDIUM] CWE-79 CVE-2020-24704: An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects
An issue was discovered in certain WSO2 products. The Try It tool allows Reflected XSS. This affects API Manager 2.2.0, API Manager Analytics 2.2.0, API Microgateway 2.2.0, Data Analytics Server 3.2.0, Enterprise Integrator through 6.6.0, IS as Key Manager 5.5.0, Identity Server 5.5.0 and 5.8.0, Identity Server Analytics 5.5.0, and IoT Server 3.3.0 a
nvd
CVE-2019-18882P4MEDIUMCVSS 6.1v5.7.02019-11-12
CVE-2019-18882 [MEDIUM] CWE-79 CVE-2019-18882: WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mish
WSO2 IS as Key Manager 5.7.0 allows stored XSS in download-userinfo.jag because Content-Type is mishandled.
nvd
CVE-2025-10853P4MEDIUMCVSS 6.1v5.10.0v5.11.0+4 more2025-11-05
CVE-2025-10853 [MEDIUM] CWE-79 CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WS
A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.
Successful exploitation could result in UI manipulation, redirection to
nvd
CVE-2020-14446P4MEDIUMCVSS 6.1≤ 5.10.02020-06-18
CVE-2020-14446 [MEDIUM] CWE-601 CVE-2020-14446: An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.
An issue was discovered in WSO2 Identity Server through 5.10.0 and WSO2 IS as Key Manager through 5.10.0. An open redirect exists.
nvd
CVE-2019-18881P4MEDIUMCVSS 6.1v5.7.02019-11-12
CVE-2019-18881 [MEDIUM] CWE-79 CVE-2019-18881: WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
WSO2 IS as Key Manager 5.7.0 allows unauthenticated reflected XSS in the dashboard user profile.
nvd
CVE-2024-7103P4MEDIUMCVSS 5.4v7.0.02025-05-22
CVE-2024-7103 [MEDIUM] CWE-79 CVE-2024-7103: A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WS
A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltrat
nvd
CVE-2021-36760P4MEDIUMCVSS 6.1v5.7.0v5.8.0+3 more2021-12-07
CVE-2021-36760 [MEDIUM] CWE-79 CVE-2021-36760: In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perfo
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open re
nvd
CVE-2020-14444P4MEDIUMCVSS 5.4≤ 5.9.02020-06-18
CVE-2020-14444 [MEDIUM] CWE-79 CVE-2020-14444: An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Policy Administration user interface.
nvd
CVE-2020-14445P4MEDIUMCVSS 5.4≤ 5.9.02020-06-18
CVE-2020-14445 [MEDIUM] CWE-79 CVE-2020-14445: An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9
An issue was discovered in WSO2 Identity Server through 5.9.0 and WSO2 IS as Key Manager through 5.9.0. A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in the Management Console Basic Policy Editor user Interface.
nvd
CVE-2018-20737P4MEDIUMCVSS 5.4v5.7.02019-03-21
CVE-2018-20737 [MEDIUM] CWE-79 CVE-2018-20737: An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part
An issue was discovered in WSO2 API Manager 2.1.0 and 2.6.0. Reflected XSS exists in the carbon part of the product.
nvd
CVE-2024-8008P4MEDIUMCVSS 5.2v5.10.0v5.11.0+3 more2025-06-02
CVE-2024-8008 [MEDIUM] CWE-79 CVE-2024-8008: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insuffi
A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the v
nvd
CVE-2024-3511P4MEDIUMCVSS 4.3v5.10.0v5.11.0+3 more2025-06-23
CVE-2024-3511 [MEDIUM] CWE-863 CVE-2024-3511: An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized a
An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization.
Successful exploi
nvd