XSS Reflected in WSO2 Identity Server

Title XSS Reflected in WSO2 Identity Server
Discovery date 13/06/2023
Class XSS Reflected, HTML Injection

Affected Products

WSO2 Identity Server 5.10.0.

Other products versions are probably also vulnerable, but they were not checked.

Proof of Concept

It is possible to inject JavaScript code within the WSO2 Identity server application using the URL of the
The login URL is composed as follows:

After the “tenantDomain” field, you can enter HTML code that will be inserted into the response page
or JavaScript code that will be executed on the browser side.

Below is the GET request on the login page.

The server response with the executed XSS code:

Questo elemento è stato inserito in CVE. Aggiungilo ai segnalibri.