Security Advisory WSO2-2024-3403/CVE-2024-4989¶
Published: 2025-03-18
Updated: 2025-03-18
Version: 1.0.0
Severity: Medium
CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)
AFFECTED PRODUCTS¶
- WSO2 API Manager 4.3.0, 4.2.0, 4.1.0
OVERVIEW¶
Open redirection vulnerability has been identified.
DESCRIPTION¶
Due to the lack of validation in the callback url, malicious actors may perform an open redirection vulnerability in some circumstances.
IMPACT¶
By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.
SOLUTION¶
Community Users (Open Source)¶
We highly recommend to migrate to the latest version of respective WSO2 products to mitigate the identified vulnerabilities.
Support Subscription Holders¶
Update your product to the specified update level—or a higher update level—to apply the fix.
Info
WSO2 Support Subscription Holders may use WSO2 Updates in order to apply the fix.
| Product | Version | U2 Update Level |
|---|---|---|
| WSO2 API Manager | 4.1.0 | 153 |
| WSO2 API Manager | 4.2.0 | 105 |
| WSO2 API Manager | 4.3.0 | 20 |