CVE-2024-1440

02.06.2025, 17:15

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.

By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Open Redirect

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.4 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
WSO2	CNA	5.4 MEDIUM	NETWORK	LOW	NONE	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 21%

Vendor	Product	Version
wso2	api_manager	3.1.0
wso2	api_manager	3.2.0
wso2	api_manager	4.0.0
wso2	identity_server	5.10.0
wso2	identity_server	5.11.0
wso2	identity_server	6.0.0
wso2	identity_server	6.1.0
wso2	identity_server	7.0.0
wso2	identity_server_as_key_manager	5.10.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-601 - URL Redirection to Untrusted Site ('Open Redirect')
A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/