CVE-2024-1440

Summary

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.

By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Affected Software

VendorProductVersion RangeStatus
WSO2WSO2 Identity Server0 < 5.10.0unknown
WSO2WSO2 Identity Server5.10.0 < 5.10.0.278affected
WSO2WSO2 Identity Server5.11.0 < 5.11.0.347affected
WSO2WSO2 Identity Server6.0.0 < 6.0.0.185affected
WSO2WSO2 Identity Server6.1.0 < 6.1.0.145affected
WSO2WSO2 Identity Server7.0.0 < 7.0.0.30affected
WSO2WSO2 API Manager0 < 3.1.0unknown
WSO2WSO2 API Manager3.1.0 < 3.1.0.262affected
WSO2WSO2 API Manager3.2.0 < 3.2.0.344affected
WSO2WSO2 API Manager4.0.0 < 4.0.0.296affected
WSO2WSO2 Identity Server as Key Manager0 < 5.10.0unknown
WSO2WSO2 Identity Server as Key Manager5.10.0 < 5.10.0.298affected
WSO2WSO2 Open Banking AM0 < 2.0.0unknown
WSO2WSO2 Open Banking AM2.0.0 < 2.0.0.308affected
WSO2WSO2 Open Banking IAM0 < 2.0.0unknown
WSO2WSO2 Open Banking IAM2.0.0 < 2.0.0.327affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)5.17.5 < 5.17.5.256affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)5.18.187 < 5.18.187.257affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)5.23.8 < 5.23.8.174affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)5.25.92 < 5.25.92.77affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)7.0.78 < 7.0.78.18affected
WSO2WSO2 Carbon Identity Application Authentication Endpoint(Utils)7.0.111 <= *unaffected

Weaknesses

  • CWE-601: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References