CVE-2024-35133

MEDIUM

IBM Security Verify Access 10.0.0-10.0.8 - Authenticated Open Redirect via OIDC Provider

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2024-35133. PoCs published by Giulio Garzia, Ozozuz.

AI-analyzed exploit summary This is a detailed technical writeup describing an open redirect vulnerability in IBM Security Verify Access during the OAuth flow. The vulnerability allows bypassing the redirect_uri validation by embedding credentials in the URI, leading to potential leakage of OAuth tokens.

Description

IBM Security Verify Access 10.0.0 through 10.0.8 OIDC Provider could allow a remote authenticated attacker to conduct phishing attacks, using an open redirect attack. By persuading a victim to visit a specially crafted Web site, a remote attacker could exploit this vulnerability to spoof the URL displayed to redirect a user to a malicious Web site that would appear to be trusted. This could allow the attacker to obtain highly sensitive information or conduct further attacks against the victim.

Exploits (3)

exploitdb WRITEUP
by Giulio Garzia · webappsmultiple
https://www.exploit-db.com/exploits/52123

This is a detailed technical writeup describing an open redirect vulnerability in IBM Security Verify Access during the OAuth flow. The vulnerability allows bypassing the redirect_uri validation by embedding credentials in the URI, leading to potential leakage of OAuth tokens.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: IBM Security Verify Access 10.0.0 - 10.0.8
No auth needed
Prerequisites: Victim interaction required to visit a crafted URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →
github WRITEUP 1 stars
by Ozozuz · poc
https://github.com/Ozozuz/IBM-Security-Verify-oAuth_Token_Steal-CVE-2024-35133

This repository provides a detailed technical analysis of CVE-2024-35133, an open redirect vulnerability in IBM Security Verify Access during the OAuth flow. It includes a proof of concept demonstrating how an attacker can manipulate the 'redirect_uri' parameter to bypass domain whitelist filters and steal OAuth tokens.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: IBM Security Verify Access 10.0.0 - 10.0.8
No auth needed
Prerequisites: Victim interaction required to visit a crafted URL
devstral-2 · analyzed May 12, 2026 Full analysis →
nomisec WRITEUP
by Ozozuz · poc
https://github.com/Ozozuz/Ozozuz-IBM-Security-Verify-CVE-2024-35133

This repository provides a detailed technical analysis of CVE-2024-35133, an open redirect vulnerability in IBM Security Verify Access during the OAuth flow. It includes a proof of concept demonstrating how an attacker can bypass the redirect_uri validation to leak OAuth tokens.

Classification
Writeup 100%
Attack Type
Info Leak
Complexity
Moderate
Reliability
Reliable
Target: IBM Security Verify Access 10.0.0 - 10.0.8
No auth needed
Prerequisites: Victim interaction required to visit a crafted URL
devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (2)

Core 2
Core References
Vendor Advisory vendor-advisory
https://www.ibm.com/support/pages/node/7166712

Scores

CVSS v3 6.8
EPSS 0.0163
EPSS Percentile 73.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-601
Status published
Products (2)
ibm/security_verify_access 10.0.0 - 10.0.8
ibm/security_verify_access_docker 10.0.0 - 10.0.8
Published Aug 29, 2024
Tracked Since Feb 18, 2026