Incorrect Authorization
CVE-2025-10908
Summary
Due to a lack of user account state validation during authentication, locked user accounts can be successfully authenticated using Magic Link or Pass Key methods. This bypasses the intended security control that should prevent access to accounts that have been locked. This vulnerability may allow unauthorized access to applications and sensitive data associated with accounts that should have been restricted via the account lock mechanism. It also undermines the effectiveness of the account lock mechanism intended to prevent further login attempts. The package "org.wso2.identity.apps:authentication-portal" is affected prior to version 3.3.4 and "org.wso2.carbon.identity.local.auth.magiclink:identity-local-auth-magiclink" is affected prior to 1.1.42.
- LOW
- NETWORK
- LOW
- UNCHANGED
- NONE
- NONE
- LOW
- LOW
CWE-863 - Incorrect Authorization
Authorization is a security mechanism performed by an application to grant or deny access to the requested resources by verifying the privileges of the user. When an application lacks effective authorization mechanisms, it enables unauthorized users to gain unintended privileges and illegitimate access to resources. Such a vulnerability may result in exposure of sensitive information, denial of service, arbitrary code execution, and complete system takeover.
Advisory Timeline
- Published
