CVE-2018-8716

MEDIUM

WSO2 Identity Server < 5.5.0 - Stored Cross-Site Scripting via Dashboard

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2018-8716. PoCs published by SEC Consult.

AI-analyzed exploit summary The advisory describes multiple stored XSS vulnerabilities in WSO2 Carbon and Dashboard Server, allowing arbitrary JavaScript payloads to be injected into user input fields. The payloads are permanently stored and executed when accessed, potentially affecting both end-users and administrators.

Description

WSO2 Identity Server before 5.5.0 has XSS via the dashboard, allowing attacks by low-privileged attackers.

Exploits (1)

exploitdb WRITEUP
by SEC Consult · textwebappsjava
https://www.exploit-db.com/exploits/44531

The advisory describes multiple stored XSS vulnerabilities in WSO2 Carbon and Dashboard Server, allowing arbitrary JavaScript payloads to be injected into user input fields. The payloads are permanently stored and executed when accessed, potentially affecting both end-users and administrators.

Classification
Writeup 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target: WSO2 Identity Server 5.3.0, WSO2 Dashboard Server
Auth required
Prerequisites: Access to vulnerable input fields in WSO2 Dashboard or Carbon UI
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Mailing List, Third Party Advisory mailing-list x_refsource_fulldisc
http://seclists.org/fulldisclosure/2018/Apr/45
Exploit, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db
https://www.exploit-db.com/exploits/44531/
Exploit, Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/541954/100/0/threaded

Scores

CVSS v3 5.4
EPSS 0.3933
EPSS Percentile 98.4%
Attack Vector NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Details

CWE
CWE-79
Status published
Products (1)
wso2/identity_server < 5.5.0
Published Apr 25, 2018
Tracked Since Feb 18, 2026