WSO2 Open Redirection Vulnerability in Authentication Endpoint

A open redirection vulnerability has been identified in multiple WSO2 products, including WSO2 API Manager versions 4.0.0, 3.2.0, and 3.1.0, as well as WSO2 Identity Server versions 7.0.0, 6.1.0, 6.0.0, 5.11.0, and 5.10.0. The vulnerability arises from improper validation of multi-option URLs in the authentication endpoint when multi-option authentication is enabled. This flaw allows malicious actors to craft links that redirect users to attacker-controlled sites, potentially leading to phishing attacks that could harvest sensitive information or facilitate other harmful actions.

Impact

Exploitation of this vulnerability could allow attackers to redirect users to malicious websites, where they could conduct phishing attacks to steal sensitive information or perform other harmful activities.

Remediation

Users can migrate to the latest version of the affected WSO2 product to receive security fixes. WSO2 customers with a Support Subscription should use WSO2 Updates to apply the fix.