CVE-2024-10242 PUBLISHED

Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection

Assigner: WSO2
Reserved: 22.10.2024 Published: 16.04.2026 Updated: 16.04.2026

The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.

Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CVSS Score: 6.1

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	Low
Privileges Required	None	Integrity Impact	Low
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	WSO2
Product	WSO2 API Manager
Versions	Default: unaffected unknown from 0 to 3.2.0 (excl.) affected from 3.2.0 to 3.2.0.401 (excl.) affected from 4.0.0 to 4.0.0.318 (excl.)

Solutions

Follow the instructions given on https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/#solution

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3741/

Problem Types

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE

Impacts

CAPEC-82 CAPEC-82: Cross-site Scripting