WSO2 Identity Server Reflected Cross-Site Scripting Vulnerability in Account Registration Flow

A reflected cross-site scripting vulnerability has been identified in WSO2 Identity Server version 7.0.0. This issue arises from improper output encoding in the account registration process, allowing malicious actors to inject payloads that are executed as JavaScript in the victim's browser. Exploitation of this vulnerability could lead to redirection to malicious websites, modification of the user interface, or exfiltration of data from the browser. However, the risk of session hijacking is mitigated as session-related sensitive cookies are protected with the httpOnly flag.

Impact

Exploitation of this vulnerability allows for reflected cross-site scripting, where injected JavaScript is executed in the context of the user's browser. This could lead to redirection to malicious sites, UI manipulation, or data exfiltration from the browser. Despite this, session hijacking is not a concern due to the httpOnly flag on sensitive cookies.

Remediation

Users of WSO2 Identity Server 7.0.0 should update to the latest version. Support subscription holders can use WSO2 Updates to apply the fix.