CVSS: 10.0EPSS: 0%CPEs: 4EXPL: 0CVE-2022-40724 – Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
https://notcve.org/view.php?id=CVE-2022-40724
25 Apr 2023 — The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. • https://docs.pingidentity.com/r/en-us/pingfederate-110/fll1675188537050 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40725 – PingID Desktop PIN attempt lockout bypass.
https://notcve.org/view.php?id=CVE-2022-40725
25 Apr 2023 — PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated. • https://docs.pingidentity.com/r/en-us/pingid/desktop_app_1.7.4 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25084 – Ping Identity Self-Service Account Manager SSAMController.java cross site scripting
https://notcve.org/view.php?id=CVE-2018-25084
10 Apr 2023 — A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. • https://github.com/pingidentity/ssam/commit/f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23726
https://notcve.org/view.php?id=CVE-2022-23726
30 Sep 2022 — PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information. PingCentral versiones anteriores a las enumeradas exponen endpoints de actuadores de Spring Boot que, con autenticación administrativa, devuelven grandes cantidades de información confidencial del entorno y de la aplicación • https://docs.pingidentity.com/bundle/pingcentral-110/page/sdd1651696160285.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23725 – PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances
https://notcve.org/view.php?id=CVE-2022-23725
30 Jun 2022 — PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. PingID Windows Login versiones anteriores a 2.8, no establece correctamente los permisos en las entradas del Registro de Windows usadas para almacenar claves confidenciales de la API en algunas circunstancias • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-522: Insufficiently Protected Credentials CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 8.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23720 – PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file
https://notcve.org/view.php?id=CVE-2022-23720
30 Jun 2022 — PingID Windows Login prior to 2.8 does not alert or halt operation if it has been provisioned with the full permissions PingID properties file. An IT administrator could mistakenly deploy administrator privileged PingID API credentials, such as those typically used by PingFederate, into PingID Windows Login user endpoints. Using sensitive full permissions properties file outside of a privileged trust boundary leads to an increased risk of exposure or discovery, and an attacker could leverage these credentia... • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html • CWE-269: Improper Privilege Management CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-648: Incorrect Use of Privileged APIs •
CVSS: 7.2EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23719 – PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests
https://notcve.org/view.php?id=CVE-2022-23719
30 Jun 2022 — PingID Windows Login prior to 2.8 does not authenticate communication with a local Java service used to capture security key requests. An attacker with the ability to execute code on the target machine maybe able to exploit and spoof the local Java service using multiple attack vectors. A successful attack can lead to code executed as SYSTEM by the PingID Windows Login application, or even a denial of service for offline security key authentication. PingID Windows Login versiones anteriores a 2.8, no autent... • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function CWE-310: Cryptographic Issues •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23718 – PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution
https://notcve.org/view.php?id=CVE-2022-23718
30 Jun 2022 — PingID Windows Login prior to 2.8 uses known vulnerable components that can lead to remote code execution. An attacker capable of achieving a sophisticated man-in-the-middle position, or to compromise Ping Identity web servers, could deliver malicious code that would be executed as SYSTEM by the PingID Windows Login application. PingID Windows Login versiones anteriores a 2.8, usa componentes vulnerables conocidos que pueden conllevar a una ejecución de código remota. Un atacante capaz de lograr una posició... • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html • CWE-1352: OWASP Top Ten 2021 Category A06:2021 - Vulnerable and Outdated Components •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23717 – PingID Windows Login prior to 2.8 denial of service condition
https://notcve.org/view.php?id=CVE-2022-23717
30 Jun 2022 — PingID Windows Login prior to 2.8 is vulnerable to a denial of service condition on local machines when combined with using offline security keys as part of authentication. PingID Windows Login versiones anteriores a 2.8, es vulnerable a una condición de denegación de servicio en máquinas locales cuando es combinado con el uso de claves de seguridad sin conexión como parte de la autenticación • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html • CWE-404: Improper Resource Shutdown or Release •
CVSS: 7.7EPSS: 0%CPEs: 2EXPL: 0CVE-2021-41995 – PingID Mac Login prior to 1.1 vulnerable to pre-computed dictionary attacks
https://notcve.org/view.php?id=CVE-2021-41995
30 Jun 2022 — A misconfiguration of RSA in PingID Mac Login prior to 1.1 is vulnerable to pre-computed dictionary attacks, leading to an offline MFA bypass. Una configuración errónea de RSA en PingID Mac Login versiones anteriores a 1.1, es vulnerable a ataques de diccionario pre-calculado, conllevando a una omisión de MFA sin conexión • https://docs.pingidentity.com/bundle/pingid/page/hnh1653583508549.html • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-310: Cryptographic Issues •