CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20059 – PingAM Java Policy Agent path traversal
https://notcve.org/view.php?id=CVE-2025-20059
20 Feb 2025 — Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9. • https://backstage.forgerock.com/knowledge/advisories/article/a61848355 • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-23983 – Access rules for PingAccess may be circumvented with URL-encoded characters
https://notcve.org/view.php?id=CVE-2024-23983
11 Nov 2024 — Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules. • https://docs.pingidentity.com/pingaccess/latest/release_notes/pa_811_rn.html • CWE-20: Improper Input Validation CWE-177: Improper Handling of URL Encoding (Hex Encoding) •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-25566 – Open Redirect in PingAM
https://notcve.org/view.php?id=CVE-2024-25566
29 Oct 2024 — An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks • https://backstage.forgerock.com/downloads/browse/am/featured • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23600 – PingIDM Query Filter Vulnerability
https://notcve.org/view.php?id=CVE-2024-23600
01 Aug 2024 — Improper Input Validation of query search results for private field data in PingIDM OPENIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure. Improper Input Validation of query search results for private field data in PingIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure. Ping Identity PingIDM versions 7.0.0 through 7.5.0 enabled an attacker with read access to the User collec... • https://packetstorm.news/files/id/182457 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-21832 – PingFederate REST API Data Store Injection
https://notcve.org/view.php?id=CVE-2024-21832
09 Jul 2024 — A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22377 – PingFederate Runtime Node Path Traversal
https://notcve.org/view.php?id=CVE-2024-22377
09 Jul 2024 — The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. El directorio de implementación en los nodos de tiempo de ejecución de PingFederate es accesible para usuarios no autorizados. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22477 – PingFederate OIDC Policy Management Editor Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-22477
09 Jul 2024 — A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Existe una vulnerabilidad de Cross Site Scripting en la consola de administración de OIDC Policy Management Editor. El impacto está limitado a los usuarios de la consola de administración únicamente. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40356 – PingOne MFA Integration Kit MFA bypass
https://notcve.org/view.php?id=CVE-2023-40356
09 Jul 2024 — PingOne MFA Integration Kit contains a vulnerability related to the Prompt Users to Set Up MFA configuration. Under certain conditions, this configuration could allow for a new MFA device to be paired with a target user account without requiring second-factor authentication from the target’s existing registered devices. A threat actor might be able to exploit this vulnerability to register their own MFA device with a target user’s account if they have existing knowledge of the target user’s first factor cre... • https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2023-40702 – PingOne MFA Integration Kit MFA bypass
https://notcve.org/view.php?id=CVE-2023-40702
09 Jul 2024 — PingOne MFA Integration Kit contains a vulnerability where the skipMFA action can be configured such that user authentication does not require the second factor authentication from the user's existing registered devices. A threat actor might be able to exploit this vulnerability to authenticate as a target user if they have existing knowledge of the target user’s first-factor credentials. • https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 • CWE-290: Authentication Bypass by Spoofing •
CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-23316 – PingAccess HTTP Request Desynchronization Weakness
https://notcve.org/view.php?id=CVE-2024-23316
31 May 2024 — HTTP request desynchronization in Ping Identity PingAccess, all versions prior to 8.0.1 affected allows an attacker to send specially crafted http header requests to create a request smuggling condition for proxied requests. La desincronización de solicitudes HTTP en Ping Identity PingAccess, todas las versiones anteriores a 8.0.1 afectadas, permite a un atacante enviar solicitudes de encabezado http especialmente manipuladas para crear una condición de contrabando de solicitudes para solicitudes proxy. • https://docs.pingidentity.com/r/en-us/pingaccess-80/pa_801_rn • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •