CVSS: 8.1EPSS: 0%CPEs: 4EXPL: 0CVE-2023-0582 – Path Traversal in ForgeRock Access Managment
https://notcve.org/view.php?id=CVE-2023-0582
27 Mar 2024 — Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in ForgeRock Access Management allows Authorization Bypass. This issue affects access management: before 7.3.0, before 7.2.1, before 7.1.4, through 7.0.2. La limitación inadecuada de una vulnerabilidad de nombre de ruta a un directorio restringido ("Path Traversal") en ForgeRock Access Management permite eludir la autorización. Este problema afecta la gestión de acceso: antes de 7.3.0, antes de 7.2.1, antes de 7.1.4... • https://backstage.forgerock.com/downloads/browse/am/featured • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3748 – Improper authorization that can lead to account impersonation
https://notcve.org/view.php?id=CVE-2022-3748
14 Apr 2023 — Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. This issue affects Access Management: from 6.5.0 through 7.2.0. Improper Authorization vulnerability in ForgeRock Inc. Access Management allows Authentication Bypass. • https://backstage.forgerock.com/downloads/browse/am/all/productId:am • CWE-285: Improper Authorization •
CVSS: 6.5EPSS: 0%CPEs: 8EXPL: 0CVE-2022-24669 – Anonymous users can register / de-register for configuration change notifications
https://notcve.org/view.php?id=CVE-2022-24669
27 Oct 2022 — It may be possible to gain some details of the deployment through a well-crafted attack. This may allow that data to be used to probe internal network services. Quizás sea posible obtener algunos detalles del despliegue mediante un ataque bien elaborado. Esto puede permitir que esos datos se utilicen para sondear los servicios de la red interna. • https://backstage.forgerock.com/downloads/browse/am/featured • CWE-862: Missing Authorization •
CVSS: 7.1EPSS: 0%CPEs: 9EXPL: 0CVE-2022-24670 – Any user can run unrestricted LDAP queries against a configuration endpoint
https://notcve.org/view.php?id=CVE-2022-24670
27 Oct 2022 — An attacker can use the unrestricted LDAP queries to determine configuration entries Un atacante puede utilizar las consultas LDAP sin restricciones para determinar las entradas de configuración. • https://backstage.forgerock.com/downloads/browse/am/featured • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 9.8EPSS: 0%CPEs: 20EXPL: 0CVE-2021-4201 – Pre-authentication session hijacking
https://notcve.org/view.php?id=CVE-2021-4201
14 Feb 2022 — Missing access control in ForgeRock Access Management 7.1.0 and earlier versions on all platforms allows remote unauthenticated attackers to hijack sessions, including potentially admin-level sessions. This issue affects: ForgeRock Access Management 7.1 versions prior to 7.1.1; 6.5 versions prior to 6.5.4; all previous versions. Una falta de control de acceso en ForgeRock Access Management versión 7.1.0 y versiones anteriores, en todas las plataformas permite a atacantes remotos no autenticados secuestrar s... • https://backstage.forgerock.com/knowledge/kb/article/a50037155#x7ZPA0 • CWE-284: Improper Access Control CWE-287: Improper Authentication •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37153
https://notcve.org/view.php?id=CVE-2021-37153
25 Aug 2021 — ForgeRock Access Management (AM) before 7.0.2, when configured with Active Directory as the Identity Store, has an authentication-bypass issue. ForgeRock Access Management (AM) versiones anteriores a 7.0.2, cuando está configurado con Active Directory como Almacén de Identidades, presenta un problema de omisión de autenticación. • https://backstage.forgerock.com/knowledge/kb/article/a55763454 •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2021-37154
https://notcve.org/view.php?id=CVE-2021-37154
25 Aug 2021 — In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion. En ForgeRock Access Management (AM) versiones anteriores a 7.0.2, la implementación de SAML2 permite una inyección de XML, permitiendo potencialmente una aserción fraudulenta de SAML versión 2.0. • https://backstage.forgerock.com/knowledge/kb/article/a55763454 • CWE-91: XML Injection (aka Blind XPath Injection) •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14395
https://notcve.org/view.php?id=CVE-2017-14395
19 Jun 2019 — Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS. El servidor de autorización Auth versión 2.0 de ForgeRock Access Management (OpenAM) versión 13.5.0-13.5.1 y Access Management (AM) versión 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no válidas, lo que p... • https://backstage.forgerock.com/knowledge/kb/article/a45958025 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2017-14394
https://notcve.org/view.php?id=CVE-2017-14394
19 Jun 2019 — OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect. El servidor de autorización OAuth versión 2.0 de ForgeRock Access Management (OpenAM) versión 13.5.0-13.5.1 y Access Management (AM) versión 5.0.0-5.1.1, no comprueba correctamente redirect_uri para algunas peticiones no válidas, lo que permite a l... • https://backstage.forgerock.com/knowledge/kb/article/a45958025 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 6.5EPSS: 0%CPEs: 1EXPL: 0CVE-2018-7272
https://notcve.org/view.php?id=CVE-2018-7272
21 Feb 2018 — The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file. Las API REST en ForgeRock AM, en versiones anteriores a la 5.5.0, incluyen ID SSOToken como parte de la URL. Esto permite que atacantes obtengan información sensible encontrando un valor de ID en un archivo de registro. • https://backstage.forgerock.com/knowledge/kb/book/b21824339 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •