Security Advisory WSO2-2017-0198

Published: September 04, 2017

Severity: Medium

CVSS Score: 4.5 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:N/A:N)


  • WSO2 Identity Server 5.3.0


A potential Reflected Cross-Site Scripting (XSS) vulnerability has been identified in Workflow Engine Profile.


In several versions of the WSO2 Workflow Engine Profile, an XSS vulnerability has been discovered which affects all versions above 5.0.7 of the Identity Workflow implementation.

The older versions of WSO2 Identity which are not listed in this advisory are not vulnerable to this attack.


An attacker aware of the management console origin can include malicious content in a request and trick a user to click the malicious content via email or a neutral website. This reflects the attack back to the user’s browser and will execute the injected code, which may generate malicious page results that will mislead the victim or harm otherwise.


Apply the following patches based on your products by following the instructions in the README file. Patches can also be downloaded from Security Patch Releases. If you have any questions, post them to

Code Product Version Patch
IS WSO2 Identity Server 5.3.0 WSO2-CARBON-PATCH-4.4.0-0991


If you are using newer versions of the products than the ones mentioned in the "SOLUTION" section, this vulnerability is fixed.