CVE-2025-10853 MEDIUM

CVE-2025-10853: Reflected Cross-Site Scripting (XSS) in Management Console of Multiple WSO2 Products Due to Improper Output Encoding

Vendor Wso2
Product WSO2 Open Banking IAM
Weakness CWE-79 · XSS
Published November 5, 2025
Last update November 5, 2025

CVSS base score

5.2/10
Attack vector Adjacent
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

Key dates

02Disclosure timeline

November 5, 2025 CVE published
November 5, 2025 Record updated