SECURITY ADVISORY WSO2-2022-1988

Published: May 31, 2024

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)


AFFECTED PRODUCTS

  • WSO2 Identity Server : 5.11.0, 5.10.0

OVERVIEW

Open redirection vulnerability in account recovery endpoint when invalid or expired code is submitted.

DESCRIPTION

Due to the improper implementation, the callback URL is not validated against the defined callback regex.Therefore, it may lead to open redirection vulnerability when invalid or expired code is submitted.

IMPACT

By using social engineering techniques, an attacker could persuade a user to click on a link with malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.

SOLUTION

We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.

Info

If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.