An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.
By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.
References
| Link | Resource |
|---|---|
| https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/ | Vendor Advisory |
Configurations
Configuration 1 (hide)
|
History
06 Oct 2025, 13:48
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/ - Vendor Advisory | |
| First Time |
Wso2 identity Server
Wso2 Wso2 identity Server As Key Manager Wso2 api Manager |
|
| CPE | cpe:2.3:a:wso2:api_manager:4.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.0.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:6.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server_as_key_manager:5.10.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.1.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.11.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:api_manager:3.2.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:5.10.0:*:*:*:*:*:*:* cpe:2.3:a:wso2:identity_server:7.0.0:*:*:*:*:*:*:* |
02 Jun 2025, 17:32
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2025-06-02 17:15
Updated : 2025-10-06 13:48
NVD link : CVE-2024-1440
Mitre link : CVE-2024-1440
CVE.ORG link : CVE-2024-1440
JSON object : View
Products Affected
wso2
- api_manager
- identity_server
- identity_server_as_key_manager
CWE
CWE-601
URL Redirection to Untrusted Site ('Open Redirect')