CVSS: 8.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-40724 – Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
https://notcve.org/view.php?id=CVE-2022-40724
The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests. • https://docs.pingidentity.com/r/en-us/pingfederate-110/fll1675188537050 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2022-40725 – PingID Desktop PIN attempt lockout bypass.
https://notcve.org/view.php?id=CVE-2022-40725
PingID Desktop prior to the latest released version 1.7.4 contains a vulnerability that can be exploited to bypass the maximum PIN attempts permitted before the time-based lockout is activated. • https://docs.pingidentity.com/r/en-us/pingid/desktop_app_1.7.4 • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2018-25084 – Ping Identity Self-Service Account Manager SSAMController.java cross site scripting
https://notcve.org/view.php?id=CVE-2018-25084
A vulnerability, which was classified as problematic, has been found in Ping Identity Self-Service Account Manager 1.1.2. Affected by this issue is some unknown functionality of the file src/main/java/com/unboundid/webapp/ssam/SSAMController.java. The manipulation leads to cross site scripting. The attack may be launched remotely. Upgrading to version 1.1.3 is able to address this issue. • https://github.com/pingidentity/ssam/commit/f64b10d63bb19ca2228b0c2d561a1a6e5a3bf251 https://github.com/pingidentity/ssam/releases/tag/ssam-1.1.3 https://vuldb.com/?ctiid.225362 https://vuldb.com/?id.225362 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.4EPSS: 0%CPEs: 2EXPL: 0CVE-2022-23726
https://notcve.org/view.php?id=CVE-2022-23726
PingCentral versions prior to listed versions expose Spring Boot actuator endpoints that with administrative authentication return large amounts of sensitive environmental and application information. PingCentral versiones anteriores a las enumeradas exponen endpoints de actuadores de Spring Boot que, con autenticación administrativa, devuelven grandes cantidades de información confidencial del entorno y de la aplicación • https://docs.pingidentity.com/bundle/pingcentral-110/page/sdd1651696160285.html https://www.pingidentity.com/en/resources/downloads/pingcentral.html • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-732: Incorrect Permission Assignment for Critical Resource •
CVSS: 7.7EPSS: 0%CPEs: 1EXPL: 0CVE-2022-23725 – PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances
https://notcve.org/view.php?id=CVE-2022-23725
PingID Windows Login prior to 2.8 does not properly set permissions on the Windows Registry entries used to store sensitive API keys under some circumstances. PingID Windows Login versiones anteriores a 2.8, no establece correctamente los permisos en las entradas del Registro de Windows usadas para almacenar claves confidenciales de la API en algunas circunstancias • https://docs.pingidentity.com/bundle/pingid/page/zhy1653552428545.html https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-522: Insufficiently Protected Credentials CWE-732: Incorrect Permission Assignment for Critical Resource •