CVE-2025-10853 is a reflected cross-site scripting (XSS) vulnerability identified in WSO2 Open Banking IAM version 2.0.0, a product used for identity and access management in open banking environments. The root cause is improper neutralization of input during web page generation, specifically due to insufficient output encoding of certain parameters in the management console interface. This flaw allows an attacker to craft malicious URLs or input parameters that, when processed by the vulnerable console, reflect attacker-controlled JavaScript code back to the user's browser. Successful exploitation can result in arbitrary script execution within the context of the affected web application, enabling UI manipulation, redirection to attacker-controlled websites, or exfiltration of sensitive data accessible via the browser. The session cookies are marked with the httpOnly flag, which mitigates the risk of session hijacking via JavaScript. The vulnerability requires an attacker to lure a user into clicking a malicious link or interacting with crafted content, as user interaction is necessary. The CVSS 3.1 base score is 5.2, reflecting medium severity with attack vector as adjacent network, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality and integrity but not availability. No known public exploits or patches are currently available, indicating the need for proactive mitigation and monitoring. Given the product's role in open banking IAM, exploitation could undermine trust and security in financial identity management systems.

For European organizations, especially those in the financial sector leveraging WSO2 Open Banking IAM for identity and access management, this vulnerability poses risks of data leakage, phishing, and manipulation of user interfaces within critical management consoles. Attackers could exploit this flaw to redirect administrators or users to malicious sites, potentially leading to credential theft or unauthorized access to sensitive banking systems. Although session hijacking is mitigated by httpOnly cookies, other confidential information accessible via the browser or UI manipulation could compromise operational integrity. This could result in reputational damage, regulatory non-compliance (e.g., GDPR violations due to data exposure), and financial losses. The requirement for user interaction and the attack vector being adjacent network reduces the likelihood of widespread automated exploitation but does not eliminate targeted attacks, particularly in environments where internal or partner network access is possible. The absence of patches increases exposure duration, necessitating immediate compensatory controls.

European organizations should implement the following specific mitigations: 1) Restrict access to the WSO2 Open Banking IAM management console to trusted internal networks and VPNs to reduce exposure to adjacent network attacks. 2) Employ web application firewalls (WAFs) with custom rules to detect and block suspicious parameter inputs indicative of XSS attempts targeting the management console. 3) Conduct user awareness training for administrators and users with console access to recognize and avoid clicking on suspicious links or interacting with untrusted content. 4) Monitor logs and network traffic for unusual requests or patterns that may indicate exploitation attempts. 5) Implement Content Security Policy (CSP) headers to limit the execution of unauthorized scripts in the management console context. 6) Engage with WSO2 support or community channels to obtain or request patches or updates addressing this vulnerability promptly. 7) Where feasible, isolate the management console environment and enforce multi-factor authentication to reduce impact if credentials are compromised. 8) Regularly review and sanitize input parameters in custom integrations or extensions to the console to prevent amplification of the vulnerability.