CVE-2024-1440
5.4
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Summary
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.
By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| WSO2 | WSO2 Identity Server | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server | 5.10.0 < 5.10.0.278 | affected |
| WSO2 | WSO2 Identity Server | 5.11.0 < 5.11.0.347 | affected |
| WSO2 | WSO2 Identity Server | 6.0.0 < 6.0.0.185 | affected |
| WSO2 | WSO2 Identity Server | 6.1.0 < 6.1.0.145 | affected |
| WSO2 | WSO2 Identity Server | 7.0.0 < 7.0.0.30 | affected |
| WSO2 | WSO2 API Manager | 0 < 3.1.0 | unknown |
| WSO2 | WSO2 API Manager | 3.1.0 < 3.1.0.262 | affected |
| WSO2 | WSO2 API Manager | 3.2.0 < 3.2.0.344 | affected |
| WSO2 | WSO2 API Manager | 4.0.0 < 4.0.0.296 | affected |
| WSO2 | WSO2 Identity Server as Key Manager | 0 < 5.10.0 | unknown |
| WSO2 | WSO2 Identity Server as Key Manager | 5.10.0 < 5.10.0.298 | affected |
| WSO2 | WSO2 Open Banking AM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking AM | 2.0.0 < 2.0.0.308 | affected |
| WSO2 | WSO2 Open Banking IAM | 0 < 2.0.0 | unknown |
| WSO2 | WSO2 Open Banking IAM | 2.0.0 < 2.0.0.327 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 5.17.5 < 5.17.5.256 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 5.18.187 < 5.18.187.257 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 5.23.8 < 5.23.8.174 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 5.25.92 < 5.25.92.77 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 7.0.78 < 7.0.78.18 | affected |
| WSO2 | WSO2 Carbon Identity Application Authentication Endpoint(Utils) | 7.0.111 <= * | unaffected |
Weaknesses
- CWE-601: CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.