CVE-2024-8008: WSO2 products vulnerable to Cross-site Scripting

June 2, 2025 (updated June 5, 2025)

A reflected cross-site scripting (XSS) vulnerability exists in multiple WSO2 products due to insufficient output encoding in error messages generated by the JDBC user store connection validation request. A malicious actor can inject a specially crafted payload into the request, causing the browser to execute arbitrary JavaScript in the context of the vulnerable page.

This vulnerability may allow UI manipulation, redirection to malicious websites, or data exfiltration from the browser. However, since all session-related sensitive cookies are protected with the httpOnly flag, session hijacking is not possible.

References

github.com/advisories/GHSA-xpxp-r8hf-wgf6
github.com/wso2/carbon-identity-framework
github.com/wso2/carbon-identity-framework/pull/5927
nvd.nist.gov/vuln/detail/CVE-2024-8008
security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3178

Code Behaviors & Features

Detect and mitigate CVE-2024-8008 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →