CVE-2024-1440
An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.
By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.
| Software | From | Fixed in |
|---|---|---|
org.wso2.carbon.identity.framework / org.wso2.carbon.identity.application.authentication.endpoint.util
|
6.0.0 | 7.0.111 |
|
org.wso2.carbon.identity.framework / org.wso2.carbon.identity.application.authentication.endpoint.util
|
- | 5.25.707 |
| wso2 / api_manager | 3.1.0 | 3.1.0.x |
| wso2 / api_manager | 3.2.0 | 3.2.0.x |
| wso2 / api_manager | 4.0.0 | 4.0.0.x |
| wso2 / identity_server | 5.10.0 | 5.10.0.x |
| wso2 / identity_server | 5.11.0 | 5.11.0.x |
| wso2 / identity_server | 6.0.0 | 6.0.0.x |
| wso2 / identity_server | 6.1.0 | 6.1.0.x |
| wso2 / identity_server | 7.0.0 | 7.0.0.x |
| wso2 / identity_server_as_key_manager | 5.10.0 | 5.10.0.x |
- https://github.com/wso2/carbon-identity-framework/commit/29ea34ada98649c4ae71aa92f1cbe87ce82164b9
- https://github.com/wso2/carbon-identity-framework/commit/7033924b6d53ff843529743b259f6c48f4e9c177
- https://github.com/wso2/carbon-identity-framework/pull/5580
- https://github.com/wso2/carbon-identity-framework/pull/5747
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171
- https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/
Deep Security Visibility Without the Complexity
SynScan provides clear, real-time security insights so you can monitor your attack surface, spot risks early, and act fast—without extra complexity.
- No setup fees
- 5-min deployment
- Cancel anytime