org.wso2.carbon.identity.mgt.endpoint.util is vulnerable to cross-site scripting. The vulnerability exists due to the lack of regular expression validation in the localVarPath
parameter in the recover
function of PasswordRecoveryApiV1.java
, allowing an attacker to inject and execute malicious javascript through the callback URLs by redirecting to the malicious websites