CVE-2021-36760
- Source
- https://cve.org/CVERecord?id=CVE-2021-36760
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36760.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2021-36760
- Published
- 2021-12-07T21:15:08.297Z
- Modified
- 2026-03-13T05:04:55.114118Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
In accountrecoveryendpoint/recoverpassword.do in WSO2 Identity Server 5.7.0, it is possible to perform a DOM-Based XSS attack affecting the callback parameter modifying the URL that precedes the callback parameter. Once the username or password reset procedure is completed, the JavaScript code will be executed. (recoverpassword.do also has an open redirect issue for a similar reason.)
- References
Affected packages
Git / github.com/wso2/product-apim
Affected ranges
- Type
- GIT
- Repo
- https://github.com/wso2/product-apim
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affectedIntroduced0 Unknown introduced commit / All previous commits are affectedLast affected
- Database specific
{ "versions": [ { "introduced": "0" }, { "last_affected": "3.0.0" }, { "introduced": "0" }, { "last_affected": "3.1.0" }, { "introduced": "0" }, { "last_affected": "3.2.0" }, { "introduced": "0" }, { "last_affected": "4.0.0" } ] }
Affected versions
test-tag-1.*
test-tag-1.9.0-Alpha
v1.*
v1.10.0
v1.10.0-Alpha
v1.10.0-Beta
v1.10.0-rc3
v1.10.0-rc4
v1.9.0
v1.9.0-Alpha
v1.9.0-Beta
v1.9.0-Beta-2
v1.9.0-Beta-3
v1.9.0-M2
v2.*
v2.0.0
v2.0.0-ALPHA
v2.0.0-BETA
v2.0.0-M1
v2.0.0-M2
v2.0.0-M3
v2.0.0-M4
v2.0.0-M5
v2.0.0-beta2
v2.0.0-rc1
v2.0.0-rc2
v2.0.0-rc3
v2.0.0-rc4
v2.0.0-rc5
v2.1.0-alpha
v2.1.0-update1
v2.1.0-update10
v2.1.0-update11
v2.1.0-update12
v2.1.0-update13
v2.1.0-update14
v2.1.0-update2
v2.1.0-update3
v2.1.0-update4
v2.1.0-update5
v2.1.0-update6
v2.1.0-update7
v2.1.0-update8
v2.1.0-update9
v2.2.0
v2.2.0-update1
v2.2.0-update2
v2.2.0-update3
v2.2.0-update4
v2.2.0-update5
v2.2.0-update6
v2.2.0-update7
v2.5.0
v2.5.0-Alpha
v2.5.0-Beta
v2.5.0-rc1
v2.5.0-rc2
v2.5.0-rc3
v2.5.0-rc4
v2.6.0
v2.6.0-alpha
v2.6.0-alpha2
v2.6.0-beta
v2.6.0-beta2
v2.6.0-m1
v2.6.0-m2
v2.6.0-rc1
v2.6.0-rc2
v2.6.0-rc3
v3.*
v3.0.0
v3.0.0-alpha
v3.0.0-alpha2
v3.0.0-beta
v3.0.0-m32
v3.0.0-m33
v3.0.0-m34
v3.0.0-m35
v3.0.0-rc1
v3.0.0-rc2
v3.0.0-rc3
Database specific
unresolved_ranges
[
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.8.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.11.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.3.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.5.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.6.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.7.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.9.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "5.10.0"
}
]
},
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.3.1"
}
]
}
]
source
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2021-36760.json"