CVE-2025-6024
Received Received - Intake

Cross-Site Scripting in Authentication Endpoint Enables Browser Exploits

Vulnerability report for CVE-2025-6024, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-04-16

Last updated on: 2026-04-23

Assigner: WSO2 LLC

Description

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-04-16
Last Modified
2026-04-23
Generated
2026-07-06
AI Q&A
2026-04-16
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 7 associated CPEs
Vendor Product Version / Range
wso2 api_manager 3.1.0
wso2 api_manager 4.0.0
wso2 api_manager 3.2.0
wso2 api_manager 3.2.1
wso2 api_manager 4.1.0
wso2 identity_server 5.11.0
wso2 identity_server 5.10.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs because the authentication endpoint does not encode user-supplied input before displaying it on the web page. This allows an attacker to inject malicious scripts into the page.

When exploited, the attacker can cause the user's browser to execute these malicious scripts, which can lead to redirection to malicious websites, manipulation of the web page's user interface, or unauthorized retrieval of information from the browser.

However, session hijacking is prevented because session-related cookies are protected by the httpOnly flag.

Impact Analysis

This vulnerability can impact you by allowing attackers to inject malicious scripts into the authentication page you use.

  • Your browser could be redirected to malicious websites without your consent.
  • The attacker could manipulate the user interface of the web page, potentially misleading you or causing unintended actions.
  • Sensitive information accessible through your browser could be retrieved by the attacker.

Note that session hijacking is not possible due to protections on session cookies.

Compliance Impact

The vulnerability allows for script injection via the authentication endpoint, which can lead to malicious redirection, manipulation of the web page interface, or unauthorized retrieval of information from the user's browser.

Such exploitation could potentially lead to unauthorized access to personal or sensitive data, which may impact compliance with data protection regulations like GDPR or HIPAA that require safeguarding user data and preventing unauthorized data access or disclosure.

However, session hijacking is mitigated by the httpOnly flag on session cookies, reducing some risk.

Overall, this vulnerability could pose a risk to compliance by enabling data leakage or manipulation through cross-site scripting attacks.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-6024. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart