{"id":"CVE-2025-5770","details":"A reflected cross-site scripting (XSS) vulnerability exists in the authentication endpoints of multiple WSO2 products due to a lack of output encoding. A malicious actor can inject arbitrary JavaScript payloads into the authentication endpoint, which are reflected back in the response, enabling browser-based attacks.\n\nExploitation may result in redirection to malicious websites, UI manipulation, or unauthorized data access from the victim’s browser. However, session-related cookies are protected with the httpOnly flag, which mitigates session hijacking via this vector.","modified":"2026-04-10T05:31:09.162321Z","published":"2025-11-05T19:16:01.880Z","references":[{"type":"ADVISORY","url":"https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4270/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/wso2/product-apim","events":[{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"},{"introduced":"0"},{"last_affected":"572610e8e6564a647044bdb454eda658e1253352"},{"introduced":"0"},{"last_affected":"6e7a9db24a575f1f4a5bc4f4cbb41687c308c466"},{"introduced":"0"},{"last_affected":"c97258caec907ea69c289c80ff708a214c3372dc"},{"introduced":"0"},{"last_affected":"f84a64d6683176f3ffb57fa262f3035b69781f2f"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"4.5.0-NA"},{"introduced":"0"},{"last_affected":"4.2.0-NA"},{"introduced":"0"},{"last_affected":"4.3.0-NA"},{"introduced":"0"},{"last_affected":"4.4.0-NA"},{"introduced":"0"},{"last_affected":"4.5.0-NA"}]}}],"versions":["4.0.0-beta","test-tag-1.9.0-Alpha","v1.9.0","v1.9.0-Alpha","v1.9.0-Beta","v1.9.0-Beta-2","v1.9.0-Beta-3","v1.9.0-M2","v2.0.0-ALPHA","v2.0.0-M4","v2.1.0-alpha","v2.1.0-update1","v2.1.0-update10","v2.1.0-update11","v2.1.0-update12","v2.1.0-update13","v2.1.0-update14","v2.1.0-update2","v2.1.0-update3","v2.1.0-update5","v2.1.0-update7","v2.1.0-update8","v2.1.0-update9","v2.2.0","v2.2.0-update1","v2.2.0-update2","v2.2.0-update3","v2.2.0-update4","v2.2.0-update5","v2.2.0-update6","v2.2.0-update7","v2.5.0","v2.5.0-Alpha","v2.5.0-Beta","v2.5.0-rc1","v2.5.0-rc2","v2.5.0-rc3","v2.5.0-rc4","v2.6.0","v2.6.0-alpha","v2.6.0-alpha2","v2.6.0-beta","v2.6.0-beta2","v2.6.0-m1","v2.6.0-m2","v2.6.0-rc1","v2.6.0-rc2","v2.6.0-rc3","v3.0.0","v3.0.0-alpha","v3.0.0-alpha2","v3.0.0-beta","v3.0.0-m32","v3.0.0-m33","v3.0.0-m34","v3.0.0-m35","v3.0.0-rc1","v3.0.0-rc2","v3.0.0-rc3","v3.1.0","v3.1.0-alpha","v3.1.0-beta","v3.1.0-m1","v3.1.0-m2","v3.1.0-m3","v3.1.0-m4","v3.1.0-m5","v3.1.0-rc1","v3.1.0-rc2","v3.1.0-rc3","v3.2.0","v3.2.0-alpha","v3.2.0-beta","v3.2.0-m1","v3.2.0-rc1","v3.2.0-rc2","v3.2.0-rc3","v3.2.0-rc4","v3.2.0-rc5","v3.2.0-rc6","v4.0.0","v4.0.0-alpha","v4.0.0-beta","v4.0.0-m1","v4.0.0-m2","v4.0.0-m3","v4.0.0-m4","v4.0.0-m5","v4.0.0-m6","v4.0.0-m7","v4.0.0-m8","v4.0.0-rc","v4.1.0","v4.1.0-alpha","v4.1.0-beta","v4.1.0-m1","v4.1.0-m2","v4.1.0-m3","v4.1.0-m4","v4.1.0-rc","v4.1.0-rc2","v4.1.0-rc3","v4.2.0","v4.2.0-alpha","v4.2.0-beta","v4.2.0-m1","v4.2.0-rc","v4.2.0-rc2","v4.3.0","v4.3.0-alpha","v4.3.0-alpha2","v4.3.0-beta","v4.3.0-m2","v4.3.0-rc","v4.3.0-rc2","v4.4.0","v4.4.0-alpha","v4.4.0-beta","v4.4.0-m1","v4.4.0-rc","v4.4.0-rc2","v4.5.0-acp","v4.5.0-acp-alpha","v4.5.0-acp-beta","v4.5.0-acp-m1","v4.5.0-acp-rc","v4.5.0-acp-rc2","v4.5.0-beta","v4.5.0-gw-alpha","v4.5.0-gw-beta","v4.5.0-gw-m1","v4.5.0-gw-rc","v4.5.0-m1","v4.5.0-m2","v4.5.0-rc","v4.5.0-tm","v4.5.0-tm-alpha","v4.5.0-tm-beta","v4.5.0-tm-m1","v4.5.0-tm-rc","v4.5.0-tm-rc2"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-5770.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"6.0.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"6.1.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.0.0-NA"}]},{"events":[{"introduced":"0"},{"last_affected":"7.1.0-NA"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}