Vulnerability Details CVE-2025-8591
The software accepts user-supplied input via a URL parameter without adequate output encoding before reflecting it back to the user's browser. This condition allows an attacker to inject malicious script content into pages served by the application.
By leveraging this weakness, an attacker can cause the user's browser to redirect to a malicious website, modify the UI of the webpage, or retrieve information from the browser. However, the impact is mitigated by the use of httpOnly flags on session-related cookies, preventing session hijacking.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 5.7%
CVSS Severity
CVSS v3 Score 6.1
Products affected by CVE-2025-8591
-
cpe:2.3:a:wso2:api_control_plane:4.5.0
-
cpe:2.3:a:wso2:api_control_plane:4.5.0.18
-
cpe:2.3:a:wso2:api_control_plane:4.5.0.21
-
cpe:2.3:a:wso2:api_control_plane:4.5.0.29
-
cpe:2.3:a:wso2:api_control_plane:4.6.0
-
cpe:2.3:a:wso2:api_manager:3.1.0
-
cpe:2.3:a:wso2:api_manager:3.1.0.181
-
cpe:2.3:a:wso2:api_manager:3.1.0.267
-
cpe:2.3:a:wso2:api_manager:3.1.0.278
-
cpe:2.3:a:wso2:api_manager:3.1.0.293
-
cpe:2.3:a:wso2:api_manager:3.1.0.322
-
cpe:2.3:a:wso2:api_manager:3.1.0.331
-
cpe:2.3:a:wso2:api_manager:3.1.0.345
-
cpe:2.3:a:wso2:api_manager:3.1.0.347
-
cpe:2.3:a:wso2:api_manager:3.1.0.349
-
cpe:2.3:a:wso2:api_manager:3.1.0.351
-
cpe:2.3:a:wso2:api_manager:3.2.0
-
cpe:2.3:a:wso2:api_manager:3.2.0.226
-
cpe:2.3:a:wso2:api_manager:3.2.0.278
-
cpe:2.3:a:wso2:api_manager:3.2.0.351
-
cpe:2.3:a:wso2:api_manager:3.2.0.368
-
cpe:2.3:a:wso2:api_manager:3.2.0.384
-
cpe:2.3:a:wso2:api_manager:3.2.0.397
-
cpe:2.3:a:wso2:api_manager:3.2.0.401
-
cpe:2.3:a:wso2:api_manager:3.2.0.408
-
cpe:2.3:a:wso2:api_manager:3.2.0.415
-
cpe:2.3:a:wso2:api_manager:3.2.0.422
-
cpe:2.3:a:wso2:api_manager:3.2.0.427
-
cpe:2.3:a:wso2:api_manager:3.2.0.432
-
cpe:2.3:a:wso2:api_manager:3.2.0.433
-
cpe:2.3:a:wso2:api_manager:3.2.0.434
-
cpe:2.3:a:wso2:api_manager:3.2.0.435
-
cpe:2.3:a:wso2:api_manager:3.2.0.446
-
cpe:2.3:a:wso2:api_manager:3.2.0.450
-
cpe:2.3:a:wso2:api_manager:3.2.0.453
-
cpe:2.3:a:wso2:api_manager:3.2.0.455
-
cpe:2.3:a:wso2:api_manager:3.2.0.457
-
cpe:2.3:a:wso2:api_manager:3.2.1
-
cpe:2.3:a:wso2:api_manager:3.2.1.16
-
cpe:2.3:a:wso2:api_manager:3.2.1.27
-
cpe:2.3:a:wso2:api_manager:3.2.1.32
-
cpe:2.3:a:wso2:api_manager:3.2.1.39
-
cpe:2.3:a:wso2:api_manager:3.2.1.42
-
cpe:2.3:a:wso2:api_manager:3.2.1.52
-
cpe:2.3:a:wso2:api_manager:3.2.1.53
-
cpe:2.3:a:wso2:api_manager:3.2.1.54
-
cpe:2.3:a:wso2:api_manager:3.2.1.55
-
cpe:2.3:a:wso2:api_manager:3.2.1.66
-
cpe:2.3:a:wso2:api_manager:3.2.1.69
-
cpe:2.3:a:wso2:api_manager:3.2.1.70
-
cpe:2.3:a:wso2:api_manager:3.2.1.73
-
cpe:2.3:a:wso2:api_manager:3.2.1.74
-
cpe:2.3:a:wso2:api_manager:3.2.1.76
-
cpe:2.3:a:wso2:api_manager:4.0.0
-
cpe:2.3:a:wso2:api_manager:4.0.0.168
-
cpe:2.3:a:wso2:api_manager:4.0.0.217
-
cpe:2.3:a:wso2:api_manager:4.0.0.269
-
cpe:2.3:a:wso2:api_manager:4.0.0.280
-
cpe:2.3:a:wso2:api_manager:4.0.0.293
-
cpe:2.3:a:wso2:api_manager:4.0.0.305
-
cpe:2.3:a:wso2:api_manager:4.0.0.310
-
cpe:2.3:a:wso2:api_manager:4.0.0.318
-
cpe:2.3:a:wso2:api_manager:4.0.0.319
-
cpe:2.3:a:wso2:api_manager:4.0.0.355
-
cpe:2.3:a:wso2:api_manager:4.0.0.368
-
cpe:2.3:a:wso2:api_manager:4.0.0.370
-
cpe:2.3:a:wso2:api_manager:4.0.0.373
-
cpe:2.3:a:wso2:api_manager:4.0.0.375
-
cpe:2.3:a:wso2:api_manager:4.1.0
-
cpe:2.3:a:wso2:api_manager:4.1.0.136
-
cpe:2.3:a:wso2:api_manager:4.1.0.152
-
cpe:2.3:a:wso2:api_manager:4.1.0.166
-
cpe:2.3:a:wso2:api_manager:4.1.0.169
-
cpe:2.3:a:wso2:api_manager:4.1.0.171
-
cpe:2.3:a:wso2:api_manager:4.1.0.187
-
cpe:2.3:a:wso2:api_manager:4.1.0.200
-
cpe:2.3:a:wso2:api_manager:4.1.0.206
-
cpe:2.3:a:wso2:api_manager:4.1.0.215
-
cpe:2.3:a:wso2:api_manager:4.1.0.216
-
cpe:2.3:a:wso2:api_manager:4.1.0.218
-
cpe:2.3:a:wso2:api_manager:4.1.0.219
-
cpe:2.3:a:wso2:api_manager:4.1.0.228
-
cpe:2.3:a:wso2:api_manager:4.1.0.231
-
cpe:2.3:a:wso2:api_manager:4.1.0.233
-
cpe:2.3:a:wso2:api_manager:4.1.0.236
-
cpe:2.3:a:wso2:api_manager:4.1.0.238
-
cpe:2.3:a:wso2:api_manager:4.1.0.242
-
cpe:2.3:a:wso2:api_manager:4.2.0
-
cpe:2.3:a:wso2:api_manager:4.2.0.100
-
cpe:2.3:a:wso2:api_manager:4.2.0.108
-
cpe:2.3:a:wso2:api_manager:4.2.0.127
-
cpe:2.3:a:wso2:api_manager:4.2.0.138
-
cpe:2.3:a:wso2:api_manager:4.2.0.144
-
cpe:2.3:a:wso2:api_manager:4.2.0.150
-
cpe:2.3:a:wso2:api_manager:4.2.0.153
-
cpe:2.3:a:wso2:api_manager:4.2.0.156
-
cpe:2.3:a:wso2:api_manager:4.2.0.157
-
cpe:2.3:a:wso2:api_manager:4.2.0.164
-
cpe:2.3:a:wso2:api_manager:4.2.0.169
-
cpe:2.3:a:wso2:api_manager:4.2.0.171
-
cpe:2.3:a:wso2:api_manager:4.2.0.173
-
cpe:2.3:a:wso2:api_manager:4.2.0.176
-
cpe:2.3:a:wso2:api_manager:4.2.0.178
-
cpe:2.3:a:wso2:api_manager:4.2.0.179
-
cpe:2.3:a:wso2:api_manager:4.2.0.182
-
cpe:2.3:a:wso2:api_manager:4.2.0.80
-
cpe:2.3:a:wso2:api_manager:4.3.0
-
cpe:2.3:a:wso2:api_manager:4.3.0.16
-
cpe:2.3:a:wso2:api_manager:4.3.0.39
-
cpe:2.3:a:wso2:api_manager:4.3.0.51
-
cpe:2.3:a:wso2:api_manager:4.3.0.55
-
cpe:2.3:a:wso2:api_manager:4.3.0.57
-
cpe:2.3:a:wso2:api_manager:4.3.0.65
-
cpe:2.3:a:wso2:api_manager:4.3.0.66
-
cpe:2.3:a:wso2:api_manager:4.3.0.67
-
cpe:2.3:a:wso2:api_manager:4.3.0.70
-
cpe:2.3:a:wso2:api_manager:4.3.0.74
-
cpe:2.3:a:wso2:api_manager:4.3.0.81
-
cpe:2.3:a:wso2:api_manager:4.3.0.83
-
cpe:2.3:a:wso2:api_manager:4.3.0.85
-
cpe:2.3:a:wso2:api_manager:4.3.0.88
-
cpe:2.3:a:wso2:api_manager:4.3.0.90
-
cpe:2.3:a:wso2:api_manager:4.3.0.91
-
cpe:2.3:a:wso2:api_manager:4.3.0.93
-
cpe:2.3:a:wso2:api_manager:4.4.0
-
cpe:2.3:a:wso2:api_manager:4.4.0.28
-
cpe:2.3:a:wso2:api_manager:4.4.0.29
-
cpe:2.3:a:wso2:api_manager:4.4.0.30
-
cpe:2.3:a:wso2:api_manager:4.4.0.33
-
cpe:2.3:a:wso2:api_manager:4.4.0.38
-
cpe:2.3:a:wso2:api_manager:4.4.0.45
-
cpe:2.3:a:wso2:api_manager:4.4.0.47
-
cpe:2.3:a:wso2:api_manager:4.4.0.49
-
cpe:2.3:a:wso2:api_manager:4.4.0.52
-
cpe:2.3:a:wso2:api_manager:4.4.0.54
-
cpe:2.3:a:wso2:api_manager:4.4.0.55
-
cpe:2.3:a:wso2:api_manager:4.4.0.57
-
cpe:2.3:a:wso2:api_manager:4.5.0
-
cpe:2.3:a:wso2:api_manager:4.5.0.11
-
cpe:2.3:a:wso2:api_manager:4.5.0.12
-
cpe:2.3:a:wso2:api_manager:4.5.0.14
-
cpe:2.3:a:wso2:api_manager:4.5.0.17
-
cpe:2.3:a:wso2:api_manager:4.5.0.20
-
cpe:2.3:a:wso2:api_manager:4.5.0.28
-
cpe:2.3:a:wso2:api_manager:4.5.0.30
-
cpe:2.3:a:wso2:api_manager:4.5.0.32
-
cpe:2.3:a:wso2:api_manager:4.5.0.35
-
cpe:2.3:a:wso2:api_manager:4.5.0.37
-
cpe:2.3:a:wso2:api_manager:4.5.0.38
-
cpe:2.3:a:wso2:api_manager:4.5.0.41
-
cpe:2.3:a:wso2:api_manager:4.5.0.9
-
cpe:2.3:a:wso2:api_manager:4.6.0
-
cpe:2.3:a:wso2:api_manager:4.6.0.1
-
cpe:2.3:a:wso2:api_manager:4.6.0.2
-
cpe:2.3:a:wso2:api_manager:4.6.0.3
-
cpe:2.3:a:wso2:api_manager:4.6.0.6
-
cpe:2.3:a:wso2:identity_server:5.10.0
-
cpe:2.3:a:wso2:identity_server:5.10.0.284
-
cpe:2.3:a:wso2:identity_server:5.10.0.300
-
cpe:2.3:a:wso2:identity_server:5.10.0.379
-
cpe:2.3:a:wso2:identity_server:5.10.0.382
-
cpe:2.3:a:wso2:identity_server:6.0.0
-
cpe:2.3:a:wso2:identity_server:6.0.0.171
-
cpe:2.3:a:wso2:identity_server:6.0.0.179
-
cpe:2.3:a:wso2:identity_server:6.0.0.249
-
cpe:2.3:a:wso2:identity_server:6.0.0.253
-
cpe:2.3:a:wso2:identity_server:7.0.0
-
cpe:2.3:a:wso2:identity_server:7.0.0.121
-
cpe:2.3:a:wso2:identity_server:7.0.0.124
-
cpe:2.3:a:wso2:identity_server:7.1.0
-
cpe:2.3:a:wso2:identity_server:7.1.0.26
-
cpe:2.3:a:wso2:identity_server:7.1.0.28
-
cpe:2.3:a:wso2:identity_server:7.1.0.31
-
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0
-
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0.280
-
cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0.296
-
cpe:2.3:a:wso2:open_banking_am:2.0.0
-
cpe:2.3:a:wso2:open_banking_am:2.0.0.313
-
cpe:2.3:a:wso2:open_banking_am:2.0.0.328
-
cpe:2.3:a:wso2:open_banking_am:2.0.0.342
-
cpe:2.3:a:wso2:open_banking_iam:2.0.0
-
cpe:2.3:a:wso2:open_banking_iam:2.0.0.318
-
cpe:2.3:a:wso2:open_banking_iam:2.0.0.333
-
cpe:2.3:a:wso2:open_banking_iam:2.0.0.348
-
cpe:2.3:a:wso2:traffic_manager:4.5.0
-
cpe:2.3:a:wso2:traffic_manager:4.5.0.17
-
cpe:2.3:a:wso2:traffic_manager:4.5.0.19
-
cpe:2.3:a:wso2:traffic_manager:4.5.0.27
-
cpe:2.3:a:wso2:traffic_manager:4.6.0
-
cpe:2.3:a:wso2:universal_gateway:4.5.0
-
cpe:2.3:a:wso2:universal_gateway:4.5.0.17
-
cpe:2.3:a:wso2:universal_gateway:4.5.0.19
-
cpe:2.3:a:wso2:universal_gateway:4.5.0.27
-
cpe:2.3:a:wso2:universal_gateway:4.6.0