CVE-2025-10853 is a reflected cross-site scripting (XSS) vulnerability identified in WSO2 Open Banking IAM version 2.0.0, a product used for identity and access management in open banking environments. The vulnerability stems from improper neutralization of input during web page generation, specifically due to insufficient output encoding of certain parameters in the management console. When a malicious actor crafts a specially designed request with tampered parameters, the server reflects the injected JavaScript code in its response without proper sanitization. This enables execution of arbitrary scripts in the context of the victim's browser session. Potential consequences include manipulation of the user interface, redirection to attacker-controlled websites, and theft of sensitive data accessible via the browser. However, the risk of session hijacking is mitigated because session cookies are set with the httpOnly flag, preventing JavaScript access to these cookies. The vulnerability requires user interaction (e.g., clicking a crafted link) and can be exploited remotely over an adjacent network (e.g., internal network or VPN). The CVSS 3.1 base score is 5.2, indicating medium severity, with low attack complexity and no privileges required. No public exploits have been reported to date. This vulnerability is particularly relevant for organizations deploying WSO2 Open Banking IAM in environments where management consoles are accessible to users or administrators, as it could be leveraged for targeted attacks or phishing campaigns.

For European organizations, especially those in the financial sector leveraging WSO2 Open Banking IAM for identity and access management, this vulnerability poses a risk to confidentiality and integrity of user interactions with the management console. While it does not directly compromise availability or allow session hijacking, attackers could manipulate the UI or redirect users to malicious sites, potentially facilitating further attacks such as credential theft or malware delivery. Given the critical role of IAM in securing banking infrastructure, exploitation could undermine trust and compliance with regulations like PSD2 and GDPR. The impact is heightened in environments where management consoles are exposed beyond tightly controlled internal networks. Additionally, attackers could use this vulnerability as a stepping stone for social engineering or lateral movement within networks. The absence of known exploits reduces immediate risk, but the medium severity score and potential for targeted attacks warrant proactive mitigation.

Organizations should implement multiple layers of defense to mitigate this vulnerability. First, apply any available patches or updates from WSO2 promptly once released. In the absence of patches, implement strict input validation and output encoding on all parameters processed by the management console to neutralize malicious scripts. Restrict access to the management console to trusted networks and enforce strong authentication and authorization controls. Employ web application firewalls (WAFs) with rules designed to detect and block reflected XSS payloads targeting WSO2 products. Educate administrators and users about the risks of clicking on suspicious links and encourage the use of browser security features such as script blockers or content security policies (CSP) to limit script execution. Regularly audit and monitor management console access logs for unusual activity. Finally, consider network segmentation to isolate the management console from less trusted environments, reducing the attack surface.