/
Security Advisory WSO2-2021-1646
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Security Advisory WSO2-2021-1646

Owned by Former user (Deleted)
Last updated: Apr 03, 2023

Published: 8th March 2022

Version: 1.0.0

Severity: Medium

CVSS Score: 5.4 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N)


AFFECTED PRODUCTS

WSO2 API Manager : 4.0.0 , 3.2.0 , 3.1.0 , 3.0.0 , 2.6.0 , 2.5.0 , 2.2.0
WSO2 Identity Server : 5.11.0 , 5.10.0 , 5.9.0 , 5.8.0 , 5.7.0 , 5.6.0 , 5.5.0 , 5.4.1
WSO2 IoT Server: 3.3.1


OVERVIEW

A potential open redirection vulnerability in callback url.


DESCRIPTION

The WSO2 Secure Deployment guide recommended regex callback URI validation is vulnerable to potential open redirection vulnerability.


IMPACT

By using social engineering techniques, an attacker could persuade a user to click on a valid link (but with a malicious payload) and get the user redirected to an attacker controlled page where a phishing attack could be executed to obtain highly sensitive information or harm otherwise


SOLUTION

In order to mitigate the identified vulnerability, It is highly recommended to apply the below given configuration into the following function following path.

Service Provider > Add/Edit Service Provider > Inbound Authentication Configuration > OAuth/OpenIDConnect Configuration > Configure

  Callback URL => regexp=(https:\/\/((example1\.com)|(example2:8000))(\/callback))

  Here example1 and example2 are sample URLs


Moreover, the product documentations are updated with the corrected configuration samples.


CREDITS

WSO2 thanks, Điện Phạm for responsibly reporting the identified issue and working with us as we addressed it.

Related content

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.