CVE-2025-0209 MEDIUM

CVE-2025-0209: Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server Account Registration Flow

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-79 · XSS
Published September 23, 2025
Last update September 23, 2025

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking.

Key dates

02Disclosure timeline

September 23, 2025 CVE published
September 23, 2025 Record updated