The WSO2 API Manager authentication endpoint in versions 3.2.0 and 4.0.0 suffers from improper neutralization of input (CWE-79), enabling reflected cross-site scripting attacks. User-supplied input is inadequately validated and reflected in responses, allowing injection of malicious scripts executed in the victim's browser context. The vulnerability can be leveraged to redirect users, alter the web page UI, or extract browser information. The impact is mitigated by the httpOnly flag on session cookies, preventing session hijacking. The CVSS 3.1 base score is 6.1 (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope change, and limited confidentiality and integrity impact. No vendor advisory or patch is currently available, and no exploits are known in the wild.

Successful exploitation allows attackers to execute arbitrary scripts in the context of the victim's browser when interacting with the vulnerable authentication endpoint. This can result in browser redirection to malicious sites, modification of the web page's user interface, and unauthorized retrieval of information accessible to the browser. The risk of session hijacking is reduced because session cookies are protected by the httpOnly flag, which prevents client-side script access. There is no reported impact on availability.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution when interacting with the authentication endpoint and consider implementing additional input validation or web application firewall rules to detect and block malicious payloads targeting this vulnerability.