The host is installed with WSO2 API Manager before 4.2.0 and is prone to a reflected cross-site scripting vulnerability. A flaw is present in the applications which fails to properly handle /authenticationendpoint/login.do of WSO2 API Manager. Successful exploitation allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the tenantDomain parameter.