XSS Reflected in WSO2 Identity Server
| Title | XSS Reflected in WSO2 Identity Server |
| Discovery date | 13/06/2023 |
| Class | XSS Reflected, HTML Injection |
Affected Products
WSO2 Identity Server 5.10.0.
Other products versions are probably also vulnerable, but they were not checked.
Proof of Concept
It is possible to inject JavaScript code within the WSO2 Identity server application using the URL of the
login.
The login URL is composed as follows:
After the “tenantDomain” field, you can enter HTML code that will be inserted into the response page
or JavaScript code that will be executed on the browser side.
Below is the GET request on the login page.
The server response with the executed XSS code:
