GHSA-R6F3-55WJ-G9P3

Vulnerability from github – Published: 2025-09-23 18:30 – Updated: 2025-09-27 03:29
VLAI?
Summary
WSO2 Identity Server Apps allows content spoofing in logs
Details

A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication error messages. When an authentication failure occurs, the portal previously accepted an authFailureMsg value supplied via URL and rendered it in the UI without validating it against the resource bundle. An attacker can craft a link that causes the portal to display attacker-controlled text in the error banner, enabling UI misrepresentation and social-engineering.

The fix validates the message key against the resource bundle and encodes input before rendering. Upgrade to org.wso2.identity.apps:authentication-portal 2.4.4 or later to remediate.

Severity ?
4.3 (Medium)
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.wso2.identity.apps:authentication-portal"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.4.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-6429"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-451"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-09-23T19:13:03Z",
    "nvd_published_at": "2025-09-23T17:15:30Z",
    "severity": "MODERATE"
  },
  "details": "A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication error messages. When an authentication failure occurs, the portal previously accepted an `authFailureMsg` value supplied via URL and rendered it in the UI without validating it against the resource bundle. An attacker can craft a link that causes the portal to display attacker-controlled text in the error banner, enabling UI misrepresentation and social-engineering.\n\nThe fix validates the message key against the resource bundle and encodes input before rendering. Upgrade to `org.wso2.identity.apps:authentication-portal` **2.4.4** or later to remediate.",
  "id": "GHSA-r6f3-55wj-g9p3",
  "modified": "2025-09-27T03:29:44Z",
  "published": "2025-09-23T18:30:23Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6429"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wso2/identity-apps/pull/6488"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wso2/identity-apps/commit/75babf6b60f940f86bada7020e5d464ca95e47f2"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/wso2/identity-apps"
    },
    {
      "type": "WEB",
      "url": "https://github.com/wso2/identity-apps/releases/tag/@wso2is/identity-apps-core@2.4.4"
    },
    {
      "type": "WEB",
      "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "WSO2 Identity Server Apps allows content spoofing in logs"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.