Security Advisory WSO2-2024-3696/CVE-2024-12141¶
Published: 2025-09-23
Version: 1.0.0
Severity: Medium
CVSS Score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N)
CVE IDs: CVE-2024-12141
AFFECTED PRODUCTS¶
- WSO2 Identity Server: 5.10.0, 5.11.0, 6.0.0, 6.1.0, 7.0.0, 7.1.0
OVERVIEW¶
Potential open redirect vulnerability via callback URL.
DESCRIPTION¶
Potential open redirection vulnerability may occur if the callback URL has been validated through the weak regular expression or has not been validated as mentioned in WSO2 Security Guidelines for Production Deployment [^1].
IMPACT¶
By employing social engineering techniques, an attacker could trick a user into clicking on a legitimate-looking link embedded with a malicious payload. This could redirect the user to an attacker-controlled page, enabling a phishing attack to harvest sensitive information, potentially resulting in unauthorized access, data theft, or further exploitation.
SOLUTION¶
The recommended solution is to configure a strong regular expression validation for callback URLs, as outlined in the WSO2 Security Guidelines for Production Deployment [^1], if not already applied. If regular expression validation is already in place for your callback URLs, ensure it addresses all cases and aligns with your organization's business requirements, using the example regex pattern provided below as a reference.
"${carbon.protocol}:\\/\\/${carbon.host}:${carbon.management.port}\\/.*"