SECURITY ADVISORY WSO2-2022-1988¶
Published: May 31, 2024
Version: 1.0.0
Severity: Medium
CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 Identity Server : 5.11.0, 5.10.0
OVERVIEW¶
Open redirection vulnerability in account recovery endpoint when invalid or expired code is submitted.
DESCRIPTION¶
Due to the improper implementation, the callback URL is not validated against the defined callback regex.Therefore, it may lead to open redirection vulnerability when invalid or expired code is submitted.
IMPACT¶
By using social engineering techniques, an attacker could persuade a user to click on a link with malicious payload and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.
SOLUTION¶
We highly recommend to migrate the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Info
If you are a WSO2 customer with Support Subscription, please use WSO2 Updates in order to apply the fix.