Pingidentity: >> Pingfederate >> 11.2.2 Security Vulnerabilities
The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.
CVSS Score
5.3
EPSS Score
0.002
Published
2024-07-09
A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.
CVSS Score
1.8
EPSS Score
0.001
Published
2024-07-09
When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request
CVSS Score
2.6
EPSS Score
0.002
Published
2023-10-25
Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter
CVSS Score
8.1
EPSS Score
0.001
Published
2023-10-25
PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests
CVSS Score
7.5
EPSS Score
0.002
Published
2023-10-25
A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA.
CVSS Score
7.7
EPSS Score
0.0
Published
2023-04-25
The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations.
CVSS Score
6.5
EPSS Score
0.0
Published
2023-04-25
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.
CVSS Score
6.4
EPSS Score
0.001
Published
2023-04-25