CVE-2025-6024 — MEDIUM (6.1)

Vulnerability Description

The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into the authentication endpoint. This can result in the user's browser being redirected to a malicious website, manipulation of the web page's user interface, or the retrieval of information from the browser. However, session hijacking is not possible due to the httpOnly flag protecting session-related cookies.

CVSS Score

6.1

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

LOW

Integrity

LOW

Availability

NONE

Affected Products

Vendor	Product	Versions
Wso2	Api Manager	3.1.0
Wso2	Identity Server	5.10.0

Related Weaknesses (CWE)

CWE-79

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisorVendor Advisory

FAQ

What is CVE-2025-6024?

CVE-2025-6024 is a vulnerability with a CVSS score of 6.1 (MEDIUM). The authentication endpoint fails to encode user-supplied input before rendering it in the web page, allowing for script injection. An attacker can leverage this by injecting malicious scripts into th...

How severe is CVE-2025-6024?

CVE-2025-6024 has been rated MEDIUM with a CVSS base score of 6.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-6024?

Check the references section above for vendor advisories and patch information. Affected products include: Wso2 Api Manager, Wso2 Identity Server.