CVE-2024-1440

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:wso2:api_manager:3.1.0:::::::*
	cpe:2.3:a:wso2:api_manager:3.2.0:::::::*
	cpe:2.3:a:wso2:api_manager:4.0.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.10.0:::::::*
	cpe:2.3:a:wso2:identity_server:5.11.0:::::::*
	cpe:2.3:a:wso2:identity_server:6.0.0:::::::*
	cpe:2.3:a:wso2:identity_server:6.1.0:::::::*
	cpe:2.3:a:wso2:identity_server:7.0.0:::::::*
	cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:::::::*

History

06 Oct 2025, 13:48

Type	Values Removed	Values Added
First Time		Wso2 api Manager Wso2 Wso2 identity Server As Key Manager Wso2 identity Server
References	~~() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/ -~~	() https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/ - Vendor Advisory
CPE		cpe:2.3:a:wso2:api_manager:4.0.0:::::::* cpe:2.3:a:wso2:identity_server:6.0.0:::::::* cpe:2.3:a:wso2:identity_server:5.10.0:::::::* cpe:2.3:a:wso2:identity_server:5.11.0:::::::* cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:::::::* cpe:2.3:a:wso2:api_manager:3.1.0:::::::* cpe:2.3:a:wso2:identity_server:7.0.0:::::::* cpe:2.3:a:wso2:api_manager:3.2.0:::::::* cpe:2.3:a:wso2:identity_server:6.1.0:::::::*
Summary		(es) Existe una vulnerabilidad de redirección abierta en varios productos WSO2 debido a la validación incorrecta de la URL multiopción en el endpoint de autenticación cuando esta está habilitada. Un atacante puede crear un enlace válido que redirija a los usuarios a un sitio web controlado por el atacante. Al explotar esta vulnerabilidad, un atacante puede engañar a los usuarios para que visiten una página maliciosa, lo que permite ataques de phishing para recopilar información confidencial o realizar otras acciones dañinas.

02 Jun 2025, 17:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-06-02 17:15

Updated : 2025-10-06 13:48

NVD link : CVE-2024-1440

Mitre link : CVE-2024-1440

CVE.ORG link : CVE-2024-1440

JSON object : View

Products Affected

wso2

api_manager
identity_server_as_key_manager
identity_server

CWE

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

5.4 /10