CVE-2025-0209 — MEDIUM (6.1)

Vulnerability Description

A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Wso2	Identity Server	7.0.0

Related Weaknesses (CWE)

CWE-79

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisorVendor Advisory

FAQ

What is CVE-2025-0209?

CVE-2025-0209 is a vulnerability with a CVSS score of 6.1 (MEDIUM). A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability b...

How severe is CVE-2025-0209?

CVE-2025-0209 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-0209?

Check the references section above for vendor advisories and patch information. Affected products include: Wso2 Identity Server.