Open Redirection Vulnerability in WSO2 Products
CVE-2024-1440

5.4MEDIUM

Key Information:

Vendor: Wso2
Status: Wso2 Identity Server; Wso2 Api Manager; Wso2 Identity Server As Key Manager; Wso2 Open Banking Am
Vendor: CVE Published:; 2 June 2025

What is CVE-2024-1440?

An open redirection vulnerability arises in various WSO2 products due to inadequate validation of the multi-option URL within the authentication endpoint when multi-option authentication is activated. This flaw allows malicious individuals to create valid links that redirect users to sites under their control. By exploiting this vulnerability, attackers can potentially deceive users into visiting harmful pages, facilitating phishing attempts to gather sensitive data or execute other malicious activities.

Affected Version(s)

WSO2 API Manager 3.1.0 < 3.1.0.262

WSO2 API Manager 3.2.0 < 3.2.0.344

WSO2 API Manager 4.0.0 < 4.0.0.296

References

https://security.docs.wso2.com/en/latest/security-announc...

vendor-advisory

CVSS V3.1

Score:

5.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 2, 2025
Vulnerability Reserved
Feb 12, 2024

Wso2

What is CVE-2024-1440?

Affected Version(s)

References

CVSS V3.1

Timeline