CVE-2025-10853

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-10853

Import Source

https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2025-10853.json

JSON Data

https://api.test.osv.dev/v1/vulns/CVE-2025-10853

Published

2025-11-05T20:15:32.297Z

Modified

2025-11-17T04:38:36.122158Z

Severity

6.1 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

[none]

Details

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.

Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/

Affected packages

Git / github.com/wso2/product-apim

Affected ranges

Type: GIT
Repo: https://github.com/wso2/product-apim
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Last affected

2971de274564b622974de831403e9688a4a76c14

Last affected

2d31e24faeeb97e70d7f19033ccff2f843f8c892

Last affected

572610e8e6564a647044bdb454eda658e1253352

Last affected

6e7a9db24a575f1f4a5bc4f4cbb41687c308c466

Last affected

9f152cad69fafd010fae1ed02b636409f0860b91

Last affected

c97258caec907ea69c289c80ff708a214c3372dc

Last affected

cf00d9e6cb083f94abae11818794f62cd5c94079

Last affected

e4956e9301b1c26eb06e80ec5c86628154b6ab55

Last affected

f84a64d6683176f3ffb57fa262f3035b69781f2f

Affected versions

test-tag-1.*

test-tag-1.9.0-Alpha

v1.*

v1.10.0

v1.10.0-Alpha

v1.10.0-Beta

v1.10.0-rc3

v1.10.0-rc4

v1.9.0

v1.9.0-Alpha

v1.9.0-Beta

v1.9.0-Beta-2

v1.9.0-Beta-3

v1.9.0-M2

v2.*

v2.0.0

v2.0.0-ALPHA

v2.0.0-BETA

v2.0.0-M1

v2.0.0-M2

v2.0.0-M3

v2.0.0-M4

v2.0.0-M5

v2.0.0-beta2

v2.0.0-rc1

v2.0.0-rc2

v2.0.0-rc3

v2.0.0-rc4

v2.0.0-rc5

v2.1.0-alpha

v2.1.0-update1

v2.1.0-update10

v2.1.0-update11

v2.1.0-update12

v2.1.0-update13

v2.1.0-update14

v2.1.0-update2

v2.1.0-update3

v2.1.0-update4

v2.1.0-update5

v2.1.0-update6

v2.1.0-update7

v2.1.0-update8

v2.1.0-update9

v2.2.0

v2.2.0-update1

v2.2.0-update2

v2.2.0-update3

v2.2.0-update4

v2.2.0-update5

v2.2.0-update6

v2.2.0-update7

v2.5.0

v2.5.0-Alpha

v2.5.0-Beta

v2.5.0-rc1

v2.5.0-rc2

v2.5.0-rc3

v2.5.0-rc4

v2.6.0

v2.6.0-alpha

v2.6.0-alpha2

v2.6.0-beta

v2.6.0-beta2

v2.6.0-m1

v2.6.0-m2

v2.6.0-rc1

v2.6.0-rc2

v2.6.0-rc3

v3.*

v3.0.0

v3.0.0-alpha

v3.0.0-alpha2

v3.0.0-beta

v3.0.0-m32

v3.0.0-m33

v3.0.0-m34

v3.0.0-m35

v3.0.0-rc1

v3.0.0-rc2

v3.0.0-rc3

v3.1.0

v3.1.0-alpha

v3.1.0-beta

v3.1.0-m1

v3.1.0-m2

v3.1.0-m3

v3.1.0-m4

v3.1.0-m5

v3.1.0-rc1

v3.1.0-rc2

v3.1.0-rc3