CVE-2024-1440: Open Redirection in Multiple WSO2 Products via Multi-Option Authentication Endpoint

5.4 CVSS

Description

An open redirection vulnerability exists in multiple WSO2 products due to improper validation of the multi-option URL in the authentication endpoint when multi-option authentication is enabled. A malicious actor can craft a valid link that redirects users to an attacker-controlled site.

By exploiting this vulnerability, an attacker may trick users into visiting a malicious page, enabling phishing attacks to harvest sensitive information or perform other harmful actions.

Classification

CVE ID: CVE-2024-1440

CVSS Base Severity: MEDIUM

CVSS Base Score: 5.4

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N

Problem Types

CWE-601 URL Redirection to Untrusted Site ('Open Redirect')

Affected Products

Vendor: WSO2

Product: WSO2 Identity Server, WSO2 API Manager, WSO2 Identity Server as Key Manager, WSO2 Open Banking AM, WSO2 Open Banking IAM, WSO2 Carbon Identity Application Authentication Endpoint(Utils)

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 12.5% (scored less or equal to compared to others)

EPSS Date: 2025-06-03 (when was this score calculated)

References

https://nvd.nist.gov/vuln/detail/CVE-2024-1440
https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2024/WSO2-2024-3171/

Timeline

2025-06-02 17:40:16 UTC
CVE

Open Redirection in Multiple WSO2 Products via Multi-Option Authentication Endpoint