CVE-2025-5770 MEDIUM

CVE-2025-5770: Reflected Cross-Site Scripting (XSS) in Authentication Endpoints of Multiple WSO2 Products

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-79 · XSS
Published November 5, 2025
Last update November 5, 2025
View on NVD All CVEs

CVSS base score

6.1/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

What the vulnerability does

01Description

A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks. Exploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.

Key dates

02Disclosure timeline

November 5, 2025 CVE published
November 5, 2025 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-32103 WordPress TP Education Plugin <= 4.4 is vulnerable to Cross Site Scripting (XSS) CVE-2019-25244 Legrand BTicino Driver Manager F454 1.0.51 CSRF and Stored XSS Vulnerabilities CVE-2024-0345 CodeAstro Vehicle Booking System User Registration usr-register.php cross site scripting CVE-2025-26880 WordPress SKT Skill Bar plugin <= 2.3 - Cross Site Scripting (XSS) vulnerability CVE-2025-46984 Adobe Experience Manager | Cross-site Scripting (DOM-based XSS) (CWE-79)