The host is installed with WSO2 API Manager version 2.1.0 or 2.6.0 and is prone to a reflected cross-site scripting vulnerability. A flaw is present in the applications which fails to properly handle the carbon part of the product. Successful exploitation allows attackers to cause unspecified impact.