CVE-2025-0209 (CNNVD-202509-3673)
中文标题:
WSO2 Identity Server 安全漏洞
英文标题:
Reflected Cross-Site Scripting (XSS) in WSO2 Identity Server Account Registration Flow
漏洞描述
中文描述:
WSO2 Identity Server(IS)是美国WSO2公司的一款身份认证服务器。 WSO2 Identity Server(IS)存在安全漏洞,该漏洞源于输出编码不当,可能导致反射型跨站脚本攻击。
英文描述:
A reflected cross-site scripting (XSS) vulnerability exists in the account registration flow of WSO2 Identity Server due to improper output encoding. A malicious actor can exploit this vulnerability by injecting a crafted payload that is reflected in the server response, enabling the execution of arbitrary JavaScript in the victim's browser. This vulnerability could allow attackers to redirect users to malicious websites, modify the user interface, or exfiltrate data from the browser. However, session-related sensitive cookies are protected using the httpOnly flag, which mitigates the risk of session hijacking.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| WSO2 | WSO2 Identity Server | - | < 7.0.0.87 | - |
cpe:2.3:a:wso2:wso2_identity_server:*:*:*:*:*:*:*:*
|
| wso2 | identity_server | 7.0.0 | - | - |
cpe:2.3:a:wso2:identity_server:7.0.0:-:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
参考链接
cve.org
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2025-0209 |
2025-11-11 15:23:00 | 2025-11-11 07:40:02 |
| NVD | nvd_CVE-2025-0209 |
2025-11-11 15:01:03 | 2025-11-11 07:47:53 |
| CNNVD | cnnvd_CNNVD-202509-3673 |
2025-11-11 15:12:58 | 2025-11-11 08:00:13 |
版本与语言
安全公告
变更历史
查看详细变更
- vulnerability_type: 未提取 -> 其他
- cnnvd_id: 未提取 -> CNNVD-202509-3673
- data_sources: ['cve', 'nvd'] -> ['cnnvd', 'cve', 'nvd']
查看详细变更
- affected_products_count: 1 -> 2
- data_sources: ['cve'] -> ['cve', 'nvd']