Total
5 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2023-44040 | 1 Veridiumid | 1 Veridiumad | 2025-04-24 | N/A | 6.1 MEDIUM |
| In VeridiumID before 3.5.0, the identity provider page is susceptible to a cross-site scripting (XSS) vulnerability that can be exploited by an internal unauthenticated attacker for JavaScript execution in the context of the user trying to authenticate. | |||||
| CVE-2023-45552 | 1 Veridiumid | 1 Veridiumad | 2025-04-16 | N/A | 6.5 MEDIUM |
| In VeridiumID before 3.5.0, a stored cross-site scripting (XSS) vulnerability has been discovered in the admin portal that allows an authenticated attacker to take over all accounts by sending malicious input via the self-service portal. | |||||
| CVE-2023-44039 | 1 Veridiumid | 1 Veridiumad | 2025-04-16 | N/A | 9.1 CRITICAL |
| In VeridiumID before 3.5.0, the WebAuthn API allows an internal unauthenticated attacker (who can pass enrollment verifications and is allowed to enroll a FIDO key) to register their FIDO authenticator to a victim’s account and consequently take over the account. | |||||
| CVE-2023-44038 | 1 Veridiumid | 1 Veridiumad | 2025-04-16 | N/A | 6.5 MEDIUM |
| In VeridiumID before 3.5.0, the identity provider page allows an unauthenticated attacker to discover information about registered users via an LDAP injection attack. | |||||
| CVE-2021-42791 | 1 Veridiumid | 1 Veridiumad | 2024-11-21 | 4.9 MEDIUM | 7.3 HIGH |
| An issue was discovered in VeridiumID VeridiumAD 2.5.3.0. The HTTP request to trigger push notifications for VeridiumAD enrolled users does not enforce proper access control. A user can trigger push notifications for any other user. The text contained in the push notification can also be modified. If a user who receives the notification accepts it, then the user who triggered the notification can obtain the accepting user's login certificate. | |||||