Filtered by vendor Pingidentity
Subscribe
Total
39 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2014-8489 | 1 Pingidentity | 1 Pingfederate | 2025-04-12 | 6.4 MEDIUM | N/A |
| Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the TargetResource parameter. | |||||
| CVE-2024-22477 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 1.8 LOW |
| A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. | |||||
| CVE-2024-22377 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 5.3 MEDIUM |
| The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. | |||||
| CVE-2023-40545 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 8.8 HIGH |
| Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests. | |||||
| CVE-2023-39930 | 1 Pingidentity | 1 Pingid Radius Pcv | 2024-11-21 | N/A | 7.5 HIGH |
| A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request. | |||||
| CVE-2023-39231 | 1 Pingidentity | 1 Pingone Mfa Integration Kit | 2024-11-21 | N/A | 7.3 HIGH |
| PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials. | |||||
| CVE-2023-39219 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 7.5 HIGH |
| PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests | |||||
| CVE-2023-37283 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 8.1 HIGH |
| Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter | |||||
| CVE-2023-36496 | 1 Pingidentity | 1 Pingdirectory | 2024-11-21 | N/A | 7.7 HIGH |
| Delegated Admin Privilege virtual attribute provider plugin, when enabled, allows an authenticated user to elevate their permissions in the Directory Server. | |||||
| CVE-2023-34085 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 2.6 LOW |
| When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request | |||||
| CVE-2022-40725 | 1 Pingidentity | 1 Desktop | 2024-11-21 | N/A | 7.3 HIGH |
| PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated. | |||||
| CVE-2022-40724 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | N/A | 6.4 MEDIUM |
| The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. | |||||
| CVE-2022-40723 | 1 Pingidentity | 3 Pingfederate, Pingid Integration Kit, Radius Pcv | 2024-11-21 | N/A | 6.5 MEDIUM |
| The PingID RADIUS PCV adapter for PingFederate, which supports RADIUS authentication with PingID MFA, is vulnerable to MFA bypass under certain configurations. | |||||
| CVE-2022-40722 | 1 Pingidentity | 3 Pingfederate, Pingid Adapter For Pingfederate, Pingid Integration Kit | 2024-11-21 | N/A | 7.7 HIGH |
| A misconfiguration of RSA padding implemented in the PingID Adapter for PingFederate to support Offline MFA with PingID mobile authenticators is vulnerable to pre-computed dictionary attacks, leading to a bypass of offline MFA. | |||||
| CVE-2022-23726 | 1 Pingidentity | 1 Pingcentral | 2024-11-21 | N/A | 5.4 MEDIUM |
| PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information. | |||||
| CVE-2022-23725 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 2.1 LOW | 7.7 HIGH |
| PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. | |||||
| CVE-2022-23724 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | 5.5 MEDIUM | 6.4 MEDIUM |
| Use of static encryption key material allows forging an authentication token to other users within a tenant organization. MFA may be bypassed by redirecting an authentication flow to a target user. To exploit the vulnerability, must have compromised user credentials. | |||||
| CVE-2022-23723 | 1 Pingidentity | 1 Pingone Mfa Integration Kit | 2024-11-21 | 5.0 MEDIUM | 7.7 HIGH |
| An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow. | |||||
| CVE-2022-23722 | 1 Pingidentity | 1 Pingfederate | 2024-11-21 | 3.5 LOW | 6.5 MEDIUM |
| When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password. | |||||
| CVE-2022-23721 | 1 Pingidentity | 1 Pingid Integration For Windows Login | 2024-11-21 | N/A | 3.8 LOW |
| PingID integration for Windows login prior to 2.9 does not handle duplicate usernames, which can lead to a username collision when two people with the same username are provisioned onto the same machine at different times. | |||||