CVE-2014-2880 in Identity Manager
Summary
by MITRE
Open redirect vulnerability in the Oracle Identity Manager component in Oracle Fusion Middleware 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the backUrl parameter in a changepwd action to identity/faces/firstlogin.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 05/11/2026
The CVE-2014-2880 vulnerability represents a critical open redirect flaw within Oracle Identity Manager's authentication mechanism, specifically affecting Oracle Fusion Middleware versions 11.1.1.5, 11.1.1.7, 11.1.2.1, and 11.1.2.2. This vulnerability resides in the firstlogin page's changepwd action where the backUrl parameter is processed without adequate validation, creating a pathway for malicious actors to manipulate user navigation. The flaw operates by accepting user-supplied URLs in the backUrl parameter and redirecting users to these destinations without proper sanitization or authorization checks, effectively bypassing the intended security controls that should govern user redirection within the authentication flow.
The technical exploitation of this vulnerability leverages the principle of insecure redirection where the application fails to validate the destination URL against a trusted domain whitelist or perform proper input sanitization. When users navigate to the identity/faces/firstlogin endpoint and submit a changepwd action with a malicious backUrl parameter, the system processes this input directly without verifying whether the target URL originates from a legitimate source within the organization's infrastructure. This allows attackers to craft deceptive URLs that appear to originate from trusted Oracle Identity Manager interfaces while actually redirecting users to phishing sites or malicious domains controlled by threat actors.
From an operational perspective, this vulnerability poses significant risks to enterprise security posture and user trust within Oracle Fusion Middleware deployments. Attackers can exploit this flaw to conduct sophisticated phishing campaigns where users are redirected from legitimate identity management pages to attacker-controlled sites that mimic the authentic Oracle interface. The impact extends beyond simple credential theft as users may unknowingly provide sensitive information to malicious actors while believing they are performing legitimate password changes within their organization's trusted systems. The vulnerability particularly affects organizations using Oracle Fusion Middleware for identity management, creating potential for widespread compromise across user bases that rely on these authentication services.
Security practitioners should implement immediate mitigations including input validation and sanitization of the backUrl parameter, establishing a strict whitelist of allowed redirect domains, and implementing proper URL validation mechanisms. The vulnerability aligns with CWE-601 Open Redirect vulnerability classification and maps to ATT&CK technique T1566.001 for credential harvesting through phishing. Organizations should also consider implementing web application firewalls to monitor and filter suspicious redirect patterns, conduct comprehensive security assessments of all Oracle Identity Manager components, and ensure proper patch management to address this vulnerability. Additional defensive measures include user education about phishing awareness and implementing multi-factor authentication to reduce the impact of successful credential compromise attempts.