Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:maven/org.wso2.identity.apps/authentication-portal@1.3.38

Type maven

Namespace org.wso2.identity.apps

Name authentication-portal

Version 1.3.38

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.4.4

Latest_non_vulnerable_version 2.4.4

Affected_by_vulnerabilities

url VCID-m8u5-sjdr-1qcc

vulnerability_id VCID-m8u5-sjdr-1qcc

summary

WSO2 Identity Server Apps allows content spoofing in logs
A content spoofing issue exists in WSO2 Identity Server Apps, specifically in the Authentication Portal, due to improper handling of authentication error messages. When an authentication failure occurs, the portal previously accepted an `authFailureMsg` value supplied via URL and rendered it in the UI without validating it against the resource bundle. An attacker can craft a link that causes the portal to display attacker-controlled text in the error banner, enabling UI misrepresentation and social-engineering.

The fix validates the message key against the resource bundle and encodes input before rendering. Upgrade to `org.wso2.identity.apps:authentication-portal` **2.4.4** or later to remediate.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-6429

reference_id

reference_type

scores

value	0.00034
scoring_system	epss
scoring_elements	0.10209
published_at	2026-06-08T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.10315
published_at	2026-06-05T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.10334
published_at	2026-06-06T12:55:00Z

value	0.00034
scoring_system	epss
scoring_elements	0.10292
published_at	2026-06-07T12:55:00Z

value	0.0005
scoring_system	epss
scoring_elements	0.15844
published_at	2026-06-09T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-6429

reference_url

https://github.com/wso2/identity-apps

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/identity-apps

reference_url

https://github.com/wso2/identity-apps/commit/75babf6b60f940f86bada7020e5d464ca95e47f2

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/identity-apps/commit/75babf6b60f940f86bada7020e5d464ca95e47f2

reference_url

https://github.com/wso2/identity-apps/pull/6488

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/identity-apps/pull/6488

reference_url

https://github.com/wso2/identity-apps/releases/tag/@wso2is/identity-apps-core@2.4.4

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/identity-apps/releases/tag/@wso2is/identity-apps-core@2.4.4

reference_url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-6429

reference_id

CVE-2024-6429

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-6429

reference_url

https://github.com/advisories/GHSA-r6f3-55wj-g9p3

reference_id

GHSA-r6f3-55wj-g9p3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r6f3-55wj-g9p3

reference_url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490/

reference_id

WSO2-2024-3490

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-09-23T18:31:05Z/

url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2024-3490/

fixed_packages

url	pkg:maven/org.wso2.identity.apps/authentication-portal@2.4.4
purl	pkg:maven/org.wso2.identity.apps/authentication-portal@2.4.4
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.identity.apps/authentication-portal@2.4.4

aliases CVE-2024-6429, GHSA-r6f3-55wj-g9p3

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-m8u5-sjdr-1qcc

url VCID-vtbk-zuxw-8bgp

vulnerability_id VCID-vtbk-zuxw-8bgp

summary

Multiple WSO2 products vulnerable to perform user impersonatoin using JIT provisioning
Multiple WSO2 products have been identified as vulnerable to perform user impersonatoin using JIT provisioning. In order for this vulnerability to have any impact on your deployment, following conditions must be met:

 * An IDP configured for federated authentication and JIT provisioning enabled with the "Prompt for username, password and consent" option.
 * A service provider that uses the above IDP for federated authentication and has the "Assert identity using mapped local subject identifier" flag enabled.


Attacker should have:

 * A fresh valid user account in the federated IDP that has not been used earlier.
 * Knowledge of the username of a valid user in the local IDP.


When all preconditions are met, a malicious actor could use JIT provisioning flow to perform user impersonation.

references

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-6837

reference_id

reference_type

scores

value	0.00316
scoring_system	epss
scoring_elements	0.55042
published_at	2026-06-08T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55062
published_at	2026-06-09T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55069
published_at	2026-06-06T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.5506
published_at	2026-06-05T12:55:00Z

value	0.00316
scoring_system	epss
scoring_elements	0.55059
published_at	2026-06-07T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-6837

reference_url

https://github.com/wso2/carbon-identity-framework/commit/fdab609760784086b8a3f55f7acf46d977a03d79

reference_id

reference_type

scores

value	8.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/carbon-identity-framework/commit/fdab609760784086b8a3f55f7acf46d977a03d79

reference_url

https://github.com/wso2/identity-apps/commit/1424203bbe81688d661ea8b8cd28e332302e1c53

reference_id

reference_type

scores

value	8.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/wso2/identity-apps/commit/1424203bbe81688d661ea8b8cd28e332302e1c53

reference_url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573

reference_id

reference_type

scores

value	8.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573

reference_url	https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/
reference_id
reference_type
scores
url	https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2022/WSO2-2021-1573/

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-6837

reference_id

CVE-2023-6837

reference_type

scores

value	8.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-6837

reference_url

https://github.com/advisories/GHSA-f6jm-9pr8-9c3w

reference_id

GHSA-f6jm-9pr8-9c3w

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-f6jm-9pr8-9c3w

fixed_packages

url	pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.179.1
purl	pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.179.1
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.179.1

url pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.180

purl pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.180

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-m8u5-sjdr-1qcc

resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.identity.apps/authentication-portal@1.6.180

aliases CVE-2023-6837, GHSA-f6jm-9pr8-9c3w

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vtbk-zuxw-8bgp

Fixing_vulnerabilities

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:maven/org.wso2.identity.apps/authentication-portal@1.3.38

Package Instance