Published: 8th February 2021
CVSS Score: 6.1 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
WSO2 API Manager : 2.6.0 or earlier
A potential Open Redirect vulnerability in the API Manager Store.
Open Redirect vulnerability can be exploited by tampering a parameter during the SSO based authentication to the API Store.
By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise.
If you are using an affected product version, it is highly recommended to migrate to the latest released version to receive security fixes.
You may also apply the relevant fixes based on the changes from the public fix: https://github.com/wso2/carbon-apimgt/pull/9625
Note: If you are a WSO2 customer with Support Subscription, please use WSO2 Update Manager (WUM) updates in order to apply the fix.