CVE-2025-10853

MEDIUM

WSO2 API Control Plane - Reflected Cross-Site Scripting via Management Console Parameters

Title source: llm
STIX 2.1

Description

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

References (1)

Core 1

Scores

CVSS v3 5.2
EPSS 0.0016
EPSS Percentile 5.5%
Attack Vector ADJACENT_NETWORK
CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (22)
wso2/api_control_plane 4.5.0
wso2/api_manager 3.1.0
wso2/api_manager 3.2.0
wso2/api_manager 3.2.1
wso2/api_manager 4.0.0
wso2/api_manager 4.1.0
wso2/api_manager 4.2.0
wso2/api_manager 4.3.0
wso2/api_manager 4.4.0
wso2/api_manager 4.5.0
... and 12 more
Published Nov 05, 2025
Tracked Since Feb 18, 2026