CVE-2024-35133

MEDIUM

IBM Security Verify Access < 10.0.8 - Open Redirect

Title source: rule

Description

IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

Exploits (2)

exploitdb WRITEUP

by Giulio Garzia · webappsmultiple

https://www.exploit-db.com/exploits/52123

View Code ZIP pw:eip

nomisec WRITEUP

by Ozozuz · poc

https://github.com/Ozozuz/Ozozuz-IBM-Security-Verify-CVE-2024-35133

View Code ZIP pw:eip

References (2)

[Vendor Advisory] https://www.ibm.com/support/pages/node/7166712

[VDB Entry] https://exchange.xforce.ibmcloud.com/vulnerabilities/291026

Scores

CVSS v3 6.8

EPSS 0.0288

EPSS Percentile 86.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-601

Status published

Products (2)

ibm/security_verify_access 10.0.0 - 10.0.8

ibm/security_verify_access_docker 10.0.0 - 10.0.8

Published Aug 29, 2024

Tracked Since Feb 18, 2026