CVE-2025-10503
Received Received - Intake
Reflected XSS in Authentication Endpoint Enables Malicious Redirects

Publication date: 2026-04-29

Last updated on: 2026-05-01

Assigner: WSO2 LLC

Description
The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user's browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-01
Generated
2026-05-07
AI Q&A
2026-04-29
EPSS Evaluated
2026-05-05
NVD
CVE-2025-10503
EUVD
EUVD-2025-209586
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
wso2 identity_server From 7.1.0 (inc) to 7.1.0.28 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the authentication endpoint of WSO2 Identity Server version 7.1.0. It occurs because the endpoint accepts user input without enforcing proper validation and output encoding, allowing attackers to inject malicious JavaScript payloads.


How can this vulnerability impact me? :

Exploiting this vulnerability allows an attacker to redirect your browser to malicious websites, modify the user interface of the affected web page, or extract information from your browser.

However, session hijacking is not possible because session-related cookies are protected with the httpOnly flag, preventing access via client-side scripts.


How can this vulnerability be detected on my network or system? Can you suggest some commands?

This vulnerability is a reflected Cross-Site Scripting (XSS) issue in the authentication endpoint of WSO2 Identity Server 7.1.0, caused by improper output encoding of user-supplied input.

To detect this vulnerability on your system, you can test the authentication endpoint by injecting typical XSS payloads in input fields or URL parameters and observing if the payload is reflected unencoded in the response.

Common commands or tools to assist detection include using curl or browser-based tools to send requests with XSS payloads such as <script>alert(1)</script> and checking the response for unencoded script tags.

  • Example curl command to test the authentication endpoint: curl -i -X GET 'https://your-wso2-server/auth?input=<script>alert(1)</script>'
  • Use browser developer tools or intercepting proxies (e.g., Burp Suite) to inject and monitor reflected payloads in responses.

What immediate steps should I take to mitigate this vulnerability?

Immediate mitigation steps include applying the publicly available fix from the WSO2 GitHub repository or upgrading to the latest unaffected version of WSO2 Identity Server.

  • Community users should apply the fix available at https://github.com/wso2/identity-apps/pull/8295.
  • Support subscription holders should update WSO2 Identity Server 7.1.0 to update level 28 or higher.

These steps will ensure proper output encoding is enforced, preventing malicious JavaScript injection via the authentication endpoint.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not specify how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.


Can you explain this vulnerability to me?

This vulnerability is a reflected Cross-Site Scripting (XSS) flaw found in the authentication endpoint of WSO2 Identity Server version 7.1.0. It occurs because the endpoint accepts user input without enforcing proper validation and output encoding, allowing attackers to inject malicious JavaScript payloads.

When exploited, this flaw enables attackers to execute malicious scripts in the context of the user's browser, which can lead to actions such as redirecting the user to a malicious website, modifying the web page's user interface, or extracting information from the browser.


How can this vulnerability impact me? :

Exploitation of this vulnerability can allow an attacker to perform several harmful actions including redirecting your browser to malicious websites, altering the appearance or behavior of the web page you are using, and retrieving sensitive information from your browser.

However, session hijacking is not possible through this vulnerability because session-related cookies are protected with the httpOnly flag, which prevents client-side scripts from accessing them.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the reflected Cross-Site Scripting (XSS) vulnerability in WSO2 Identity Server version 7.1.0, you should:

  • Apply the publicly available fix from the WSO2 GitHub repository at https://github.com/wso2/identity-apps/pull/8295 if you are a community user.
  • If applying the fix is not feasible, upgrade to the latest unaffected product version.
  • Support subscription holders should update WSO2 Identity Server 7.1.0 to update level 28 or higher.

Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart