WSO2 Identity Server XSS via Auth Endpoint (CVE-2024-10242)
CVE-2024-10242 Published on April 16, 2026
Reflected Cross-Site Scripting via Authentication Endpoint in WSO2 API Manager Allows UI Modification and Redirection
The authentication endpoint fails to adequately validate user-supplied input before reflecting it back in the response. This allows an attacker to inject malicious script payloads into the input parameters, which are then executed by the victim's browser.
Successful exploitation can enable an attacker to redirect the user's browser to a malicious website, modify the UI of the web page, or retrieve information from the browser. However, the impact is limited as session-related sensitive cookies are protected by the httpOnly flag, preventing session hijacking.
Vulnerability Analysis
CVE-2024-10242 is exploitable with network access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a small impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a XSS Vulnerability?
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CVE-2024-10242 has been classified to as a XSS vulnerability or weakness.
Products Associated with CVE-2024-10242
Want to know whenever a new CVE is published for Wso2 Api Manager? stack.watch will email you.
Affected Versions
WSO2 API Manager:- Before 3.2.0 is unknown.
- Version 3.2.0 and below 3.2.0.401 is affected.
- Version 4.0.0 and below 4.0.0.318 is affected.
Exploit Probability
EPSS (Exploit Prediction Scoring System) scores estimate the probability that a vulnerability will be exploited in the wild within the next 30 days. The percentile shows you how this score compares to all other vulnerabilities.