CVE-2024-1440 MEDIUM

CVE-2024-1440: Open Redirection in Multiple WSO2 Products via Multi-Option Authentication Endpoint

Vendor Wso2
Product WSO2 Identity Server
Weakness CWE-601 · Open redirect
Published June 2, 2025
Last update June 2, 2025

CVSS base score

5.4/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site. By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Key dates

02Disclosure timeline

June 2, 2025 CVE published
June 2, 2025 Record updated