CVE-2024-7103
MEDIUMWSO2 Identity Server 7.0.0 - Reflected Cross-Site Scripting in Sub-Organization Login Flow
Title source: llmDescription
A reflected cross-site scripting (XSS) vulnerability exists in the sub-organization login flow of WSO2 Identity Server 7.0.0 due to improper input validation. A malicious actor can exploit this vulnerability to inject arbitrary JavaScript into the login flow, potentially leading to UI modifications, redirections to malicious websites, or data exfiltration from the browser. While this issue could allow an attacker to manipulate the user’s browser, session-related sensitive cookies remain protected with the httpOnly flag, preventing session hijacking.
References (1)
Core 1
Core References
Vendor Advisory vendor-advisory
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3425/
Scores
CVSS v3
4.6
EPSS
0.0018
EPSS Percentile
7.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-79
Status
published
Products (1)
wso2/identity_server
7.0.0
Published
May 22, 2025
Tracked Since
Feb 18, 2026