Content Spoofing in Multiple WSO2 Products via Error Message Injection
Description
A content spoofing vulnerability exists in multiple WSO2 products due to improper error message handling. Under certain conditions, error messages are passed through URL parameters without validation, allowing malicious actors to inject arbitrary content into the UI.
By exploiting this vulnerability, attackers can manipulate browser-displayed error messages, enabling social engineering attacks through deceptive or misleading content.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A content spoofing vulnerability in WSO2 products allows attackers to inject arbitrary content into error messages via unvalidated URL parameters, enabling social engineering attacks.
Vulnerability
Overview
CVE-2024-6429 is a content spoofing vulnerability affecting multiple WSO2 products, including the identity-apps repository. The root cause is improper handling of error messages, where user-supplied input passed through URL parameters are passed through URL parameters without sufficient validation or sanitization [1][2]. This allows an attacker to inject arbitrary content into the error messages displayed in the user's browser.
Exploitation
An attacker can exploit this vulnerability by crafting a malicious URL that includes a specially crafted error message parameter. When a user visits this URL, the WSO2 application will render the attacker-controlled content as part of the error page, without proper escaping or validation [1][2]. No authentication is required to trigger the vulnerability can be triggered by simply luring a victim to click on a crafted link.
Impact
Successful exploitation enables an attacker to manipulate the content of error pages displayed to users. This can be leveraged for social engineering attacks, such as displaying deceptive messages that trick users into revealing sensitive information or performing unintended actions [2]. The vulnerability does not directly allow code execution or data theft, but it undermines the trustworthiness of the application's UI.
Mitigation
The vulnerability has been addressed in the WSO2 identity-apps repository via pull request #6488, which validates the authentication failure message against the resource bundle [1]. The fix is included in release @wso2is/identity-apps-core@2.4.4 [4]. Users are strongly advised to update to the latest patched version of the affected WSO2 products to mitigate the risk.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.wso2.identity.apps:authentication-portalMaven | < 2.4.4 | 2.4.4 |
Affected products
3- WSO2/WSO2 API Managerv5Range: 3.2.0
- WSO2/WSO2 Identity Serverv5Range: 5.10.0
- WSO2/WSO2 Identity Server as Key Managerv5Range: 5.10.0
Patches
175babf6b60f9Merge pull request #6488 from Yasasr1/validate-auth-fail-msg
2 files changed · +17 −4
.changeset/proud-snakes-sin.md+5 −0 added@@ -0,0 +1,5 @@ +--- +"@wso2is/identity-apps-core": patch +--- + +Validate the auth fail massege in domain.jsp with the resourceBundle.
identity-apps-core/apps/authentication-portal/src/main/webapp/domain.jsp+12 −4 modified@@ -28,14 +28,22 @@ <% String domainUnknown = AuthenticationEndpointUtil.i18n(resourceBundle, "domain.unknown"); - String errorMessage = AuthenticationEndpointUtil.i18n(resourceBundle, "authentication.failed"); + String errorMessage = AuthenticationEndpointUtil.i18n(resourceBundle, "authentication.failed.please.retry"); boolean loginFailed = false; if (Boolean.parseBoolean(request.getParameter("authFailure"))) { loginFailed = true; if (request.getParameter("authFailureMsg") != null) { - errorMessage = request.getParameter("authFailureMsg"); - - if (domainUnknown.equalsIgnoreCase(errorMessage)) { + /* + * Only allowing error messages defined in the resourceBundle. + * AuthenticationEndpointUtil.i18n() will return the value of the provided key if the key is found + * in the resourceBundle. If the key is not found, it will return the key itself. + */ + String error = Encode.forJava(request.getParameter("authFailureMsg")); + if (!error.equalsIgnoreCase(AuthenticationEndpointUtil.i18n(resourceBundle, error))) { + errorMessage = AuthenticationEndpointUtil.i18n(resourceBundle, error); + } + + if (domainUnknown.equalsIgnoreCase(error)) { errorMessage = AuthenticationEndpointUtil.i18n(resourceBundle, "domain.cannot.be.identified"); } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-r6f3-55wj-g9p3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-6429ghsaADVISORY
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490/mitrevendor-advisory
- github.com/wso2/identity-apps/commit/75babf6b60f940f86bada7020e5d464ca95e47f2ghsaWEB
- github.com/wso2/identity-apps/pull/6488ghsaWEB
- github.com/wso2/identity-apps/releases/tag/@wso2is/identity-apps-core@2.4.4ghsaWEB
- security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490ghsaWEB
News mentions
0No linked articles in our index yet.