An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.endpoint.util(Maven) | 6.0.0 | 7.0.111 | N/A |
| org.wso2.carbon.identity.framework:org.wso2.carbon.identity.application.authentication.endpoint.util(Maven) | 0 | 5.25.707 | N/A |
CVSS Metrics
