CVE-2025-0672

Low CVSS: 3.3

An authentication bypass vulnerability exists in multiple WSO2 products when FIDO authentication is enabled. When a user account is deleted, the system does not automatically remove associated FIDO registration data. If a new user account is later created using the same username, the system may associate the new account with the previously registered FIDO device.

This flaw may allow a previously deleted user to authenticate using their FIDO credentials and impersonate the newly created user, resulting in unauthorized access. The vulnerability applies only to deployments that utilize FIDO-based authentication.

Vendor

Wso2

Product

Identity Server

CWE

CWE-287

Yayın Tarihi

2025-09-23 18:15:30

Güncelleme

2025-10-03 16:38:03

Source Identifier

ed10eef1-636d-4fbe-9993-6890dfa878f8

KEV Date Added

Kategoriler

CWE-287 Identity Server LOW Wso2 2025

Referanslar

https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2025/WSO2-2025-3134/

Benzer Kayıtlar

High

CVE-2024-1524

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk…

Critical

CVE-2025-13590

A malicious actor with administrative privileges can upload an arbitrary file to a user-controlled location within the d…

High

CVE-2025-12107

Due to the use of a vulnerable third-party Velocity template engine, a malicious actor with admin privilege may inject a…

Critical

CVE-2025-9312

A missing authentication enforcement vulnerability exists in the mutual TLS (mTLS) implementation used by System REST AP…

High

CVE-2025-6670

A Cross-Site Request Forgery (CSRF) vulnerability exists in multiple WSO2 products due to the use of the HTTP GET method…

Medium

CVE-2025-10853

A reflected cross-site scripting (XSS) vulnerability exists in the management console of multiple WSO2 products due to i…