||
Skip to end of metadata
Go to start of metadata

Published: 8th February 2021

Version: 1.0.0

Severity: Medium

CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 2.6.0 or earlier


OVERVIEW

A potential Open Redirect vulnerability in the API Manager Store.


DESCRIPTION

Open Redirect vulnerability can be exploited by tampering a parameter during the SSO based authentication to the API Store.


IMPACT

By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.


SOLUTION

If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.

You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-apimgt/pull/9625

Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.


  • No labels