cbcvebase.

Wso2 Identity Server vulnerabilities

43 known vulnerabilities affecting wso2/wso2_identity_server.

Total CVEs
43
CISA KEV
0
Public exploits
3
Exploited in wild
2
Severity breakdown
CRITICAL5HIGH11MEDIUM26LOW1

Vulnerabilities

Page 2 of 3
CVE-2025-0663P3MEDIUMCVSS 6.8≥ 5.10.0, < 5.10.0.343≥ 5.11.0, < 5.11.0.392+3 more2025-09-23
CVE-2025-0663 [MEDIUM] CWE-287 CVE-2025-0663: A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptog A cross-tenant authentication vulnerability exists in multiple WSO2 products due to improper cryptographic design in Adaptive Authentication. A single cryptographic key is used across all tenants to sign authentication cookies, allowing a privileged user in one tenant to forge authentication cookies for users in other tenants. Because the Auto-Login
nvd
CVE-2024-7073P4MEDIUMCVSS 6.5≥ 5.2.0, < 5.2.0.32≥ 5.3.0, < 5.3.0.32+12 more2025-06-02
CVE-2024-7073 [MEDIUM] CWE-918 CVE-2024-7073: A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper A server-side request forgery (SSRF) vulnerability exists in multiple WSO2 products due to improper input validation in SOAP admin services. This flaw allows unauthenticated attackers to manipulate server-side requests, enabling access to internal and external resources available through the network or filesystem. Exploitation of this vulnerability co
nvd
CVE-2024-7487P4MEDIUMCVSS 5.8≥ 7.0.0, < 7.0.0.652025-05-22
CVE-2024-7487 [MEDIUM] CWE-287 CVE-2024-7487: An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementati An improper authentication vulnerability exists in WSO2 Identity Server 7.0.0 due to an implementation flaw that allows app-native authentication to be bypassed when an invalid object is passed. Exploitation of this vulnerability could enable malicious actors to circumvent the client verification mechanism, compromising the integrity of the authentic
nvd
CVE-2024-2321P4MEDIUMCVSS 5.6≥ 5.11.0, < 5.11.0.326≥ 6.0.0, < 6.0.0.172+1 more2025-02-27
CVE-2024-2321 [MEDIUM] CWE-863 CVE-2024-2321: An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs t An incorrect authorization vulnerability exists in multiple WSO2 products, allowing protected APIs to be accessed directly using a refresh token instead of the expected access token. Due to improper authorization checks and token mapping, session cookies are not required for API access, potentially enabling unauthorized operations. Exploitation requi
nvd
CVE-2025-12624P4MEDIUMCVSS 5.4≥ 5.2.0, < 5.2.0.352026-04-16
CVE-2025-12624 [MEDIUM] CWE-613 CVE-2025-12624: Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identi Active access tokens are not revoked or invalidated when a user account is locked within WSO2 Identity Server. This failure to enforce revocation allows previously issued, valid tokens to remain usable, enabling continued access to protected resources by locked user accounts. The security consequence is that a locked user account can maintain acces
nvd
CVE-2025-6024P4MEDIUMCVSS 6.1≥ 5.10.0, < 5.10.0.360≥ 5.11.0, < 5.11.0.4052026-04-16
CVE-2025-6024 [MEDIUM] CWE-79 CVE-2025-6024: The authentication endpoint fails to encode user-supplied input before rendering it in the web page, The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, o
nvd
CVE-2024-1440P4MEDIUMCVSS 6.1≥ 5.10.0, < 5.10.0.278≥ 5.11.0, < 5.11.0.347+3 more2025-06-02
CVE-2024-1440 [MEDIUM] CWE-601 CVE-2024-1440: An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users in
nvd
CVE-2024-7096P4MEDIUMCVSS 5.4≥ 5.2.0, < 5.2.0.32≥ 5.3.0, < 5.3.0.33+11 more2025-05-30
CVE-2024-7096 [MEDIUM] CWE-863 CVE-2024-7096: A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw i A privilege escalation vulnerability exists in multiple WSO2 products due to a business logic flaw in SOAP admin services. A malicious actor can create a new user with elevated permissions only when all of the following conditions are met: * SOAP admin services are accessible to the attacker. * The deployment includes an internally used attribute that
nvd
CVE-2023-6838P4MEDIUMCVSS 6.1≥ 5.10.0.0, < 5.10.0.52023-12-15
CVE-2023-6838 [MEDIUM] CWE-79 CVE-2023-6838: Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endp Reflected XSS vulnerability can be exploited by tampering a request parameter in Authentication Endpoint. This can be performed in both authenticated and unauthenticated requests.
nvd
CVE-2025-0209P4MEDIUMCVSS 6.1≥ 7.0.0, < 7.0.0.872025-09-23
CVE-2025-0209 [MEDIUM] CWE-79 CVE-2025-0209: A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vuln
nvd
CVE-2024-5962P4MEDIUMCVSS 6.1≥ 6.0.0, < 6.0.0.199≥ 6.1.0, < 6.1.0.1722025-05-22
CVE-2024-5962 [MEDIUM] CWE-79 CVE-2024-5962: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multip A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoint of multiple WSO2 products due to missing output encoding of user-supplied input. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the authentication flow, potentially leading to UI modifications, redirections to malicious websi
nvd
CVE-2025-5770P4MEDIUMCVSS 6.1≥ 6.0.0, < 6.0.0.247≥ 6.1.0, < 6.1.0.246+2 more2025-11-05
CVE-2025-5770 [MEDIUM] CWE-79 CVE-2025-5770: A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multi A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirec
nvd
CVE-2025-10503P4MEDIUMCVSS 6.1≥ 7.1.0, < 7.1.0.282026-04-29
CVE-2025-10503 [MEDIUM] CWE-79 CVE-2025-10503: The authentication endpoint accepts user-supplied input without enforcing expected validation constr The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious webs
nvd
CVE-2025-1396P4MEDIUMCVSS 5.3≥ 5.10.0, < 5.10.0.346≥ 5.11.0, < 5.11.0.395+2 more2025-09-26
CVE-2025-1396 [MEDIUM] CWE-203 CVE-2025-1396: A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is A username enumeration vulnerability exists in multiple WSO2 products when Multi-Attribute Login is enabled. In this configuration, the system returns a distinct "User does not exist" error message to the login form, regardless of the validate_username setting. This behavior allows malicious actors to determine which usernames exist in the system based
nvd
CVE-2025-10853P4MEDIUMCVSS 6.1≥ 5.10.0, < 5.10.0.373≥ 5.11.0, < 5.11.0.417+4 more2025-11-05
CVE-2025-10853 [MEDIUM] CWE-79 CVE-2025-10853: A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WS A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to
nvd
CVE-2024-7103P4MEDIUMCVSS 5.4≥ 7.0.0, < 7.0.0.642025-05-22
CVE-2024-7103 [MEDIUM] CWE-79 CVE-2024-7103: A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WS A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltrat
nvd
CVE-2024-8008P4MEDIUMCVSS 5.2≥ 5.10.0, < 5.10.0.328≥ 5.11.0, < 5.11.0.374+3 more2025-06-02
CVE-2024-8008 [MEDIUM] CWE-79 CVE-2024-8008: A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insuffi A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the v
nvd
CVE-2024-3511P4MEDIUMCVSS 4.3≥ 5.10.0, < 5.10.0.292≥ 5.11.0, < 5.11.0.333+3 more2025-06-23
CVE-2024-3511 [MEDIUM] CWE-863 CVE-2024-3511: An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized a An incorrect authorization vulnerability exists in multiple WSO2 products that allows unauthorized access to versioned files stored in the registry. Due to flawed authorization logic, a malicious actor with access to the management console can exploit a specific bypass method to retrieve versioned files without proper authorization. Successful exploi
nvd
CVE-2024-6429P4MEDIUMCVSS 4.3≥ 5.10.0, < 5.10.0.314≥ 5.11.0, < 5.11.0.359+3 more2025-09-23
CVE-2024-6429 [MEDIUM] CWE-451 CVE-2024-6429: A content spoofing vulnerability exists in multiple WSO2 products due to improper error message hand A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI. By exploiting this vulnerability, attackers can manipulate browser-displayed error m
nvd
CVE-2024-0391P4MEDIUMCVSS 4.3≥ 5.10.0, < 5.10.0.379≥ 5.11.0, < 5.11.0.426+4 more2026-05-11
CVE-2024-0391 [MEDIUM] CWE-204 CVE-2024-0391: The check user account lock states feature within the email OTP flow fails to validate user input, a The check user account lock states feature within the email OTP flow fails to validate user input, allowing an attacker to infer the existence of registered user accounts. The discovery of valid usernames can increase the risk of brute-force and social engineering attacks. Attackers can leverage this information to craft targeted phishing campaigns o
nvd
Wso2 Identity Server vulnerabilities | cvebase