Volerion logoVolerion
Volerion logoVolerion

WSO2 API Manager Reflected Cross-Site Scripting Vulnerability in Authentication Endpoint

Vulnerability

A reflected cross-site scripting vulnerability has been identified in the authentication endpoint of WSO2 API Manager versions 4.0.0 and 3.2.0. The vulnerability arises from inadequate validation of user-supplied input, allowing attackers to inject malicious scripts that are executed in the context of the victim's browser. Exploitation of this vulnerability could lead to redirection to malicious websites, modification of the web page's user interface, or unauthorized access to browser-stored information. However, the impact is somewhat mitigated as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected scripts are executed in the context of the user's browser. This could lead to redirection to malicious sites, UI manipulation, or access to browser-stored information. However, session-related cookies are protected by the httpOnly flag, preventing session hijacking.

Remediation

WSO2 API Manager users should update to version 4.0.0 (update level 318) or 3.2.0 (update level 401).

Added: Apr 16, 2026, 10:26 AM
Updated: Apr 16, 2026, 10:26 AM

Vulnerability Rating

Custom Algorithm
spread
3.4
impact
1.7
exploitability
6.4
remediation
7.7
relevance
6.0
threat
0.0
urgency
2.9
incentive
0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.