Security Advisory WSO2-2021-1314

Published: October 14, 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


  • WSO2 API Manager : 3.0.0 , 3.1.0 , 3.2.0 , 4.0.0
  • WSO2 Identity Server : 5.7.0 , 5.8.0 , 5.9.0 , 5.10.0 , 5.11.0
  • WSO2 IS as Key Manager : 5.3.0 , 5.5.0 , 5.6.0 , 5.7.0 , 5.9.0 , 5.10.0
  • WSO2 IoT Server : 3.3.1


Potential Cross Site Scripting and Open Redirection vulnerabilities in account recovery endpoint.


Due to not applying the regular expression validation for callback URLs configured in the Account Recovery Configurations, the callback URL is vulnerable to Cross Site Scripting and Open Redirections attack.


By leveraging the XSS attack, a malicious actor can make the browser get redirected to a malicious website, make changes in the UI of the web page, retrieve information from the browser or harm otherwise. However, since all the session related sensitive cookies are set with httpOnly flag and protected, session hijacking or similar attacks would not be possible. Likewise, by leveraging the Open Redirect vulnerability, using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.


The recommended solution is to apply the regular expression validation for callback URL in Account Recovery Configurations at the management console. Please refer to password recovery documentation page on further instructions related to performing this configuration change. In addition, WSO2 Security Guidelines for Production Deployments has been updated with relevant recommendations.


WSO2 thanks, Mariani Francesco for responsibly reporting the identified issue and working with us as we addressed it.