CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9875
https://notcve.org/view.php?id=CVE-2024-9875
20 Nov 2024 — Okta Privileged Access server agent (SFTD) versions 1.82.0 to 1.84.0 are affected by a privilege escalation vulnerability when the sudo command bundles feature is enabled. To remediate this vulnerability, upgrade the Okta Privileged Access server agent (SFTD) to version 1.87.1 or greater. • https://help.okta.com/asa/en-us/content/topics/releasenotes/advanced-server-access-release-notes.htm • CWE-20: Improper Input Validation •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-9191
https://notcve.org/view.php?id=CVE-2024-9191
01 Nov 2024 — The Okta Device Access features, provided by the Okta Verify agent for Windows, provides access to the OktaDeviceAccessPipe, which enables attackers in a compromised device to retrieve passwords associated with Desktop MFA passwordless logins. The vulnerability was discovered via routine penetration testing. Note: A precondition of this vulnerability is that the user must be using the Okta Device Access passwordless feature. Okta Device Access users not using passwordless are not affected, and customers onl... • https://help.okta.com/oie/en-us/content/topics/releasenotes/oie-ov-release-notes.htm#panel4 • CWE-276: Incorrect Default Permissions •
CVSS: 9.4EPSS: 0%CPEs: 1EXPL: 0CVE-2024-10327
https://notcve.org/view.php?id=CVE-2024-10327
24 Oct 2024 — A vulnerability in Okta Verify for iOS versions 9.25.1 (beta) and 9.27.0 (including beta) allows push notification responses through the iOS ContextExtension feature allowing the authentication to proceed regardless of the user’s selection. When a user long-presses the notification banner and selects an option, both options allow the authentication to succeed. The ContextExtension feature is one of several push mechanisms available when using Okta Verify Push on iOS devices. The vulnerable flows include: * ... • https://help.okta.com/en-us/content/topics/releasenotes/okta-verify-release-notes.htm#panel2 • CWE-287: Improper Authentication •
CVSS: 7.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-7061
https://notcve.org/view.php?id=CVE-2024-7061
07 Aug 2024 — Okta Verify for Windows is vulnerable to privilege escalation through DLL hijacking. The vulnerability is fixed in Okta Verify for Windows version 5.0.2. To remediate this vulnerability, upgrade to 5.0.2 or greater. • https://help.okta.com/oie/en-us/content/topics/releasenotes/oie-ov-release-notes.htm#panel4 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-427: Uncontrolled Search Path Element •
CVSS: 7.1EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0981
https://notcve.org/view.php?id=CVE-2024-0981
23 Jul 2024 — Okta Browser Plugin versions 6.5.0 through 6.31.0 (Chrome/Edge/Firefox/Safari) are vulnerable to cross-site scripting. This issue occurs when the plugin prompts the user to save these credentials within Okta Personal. A fix was implemented to properly escape these fields, addressing the vulnerability. Importantly, if Okta Personal is not added to the plugin to enable multi-account view, the Workforce Identity Cloud plugin is not affected by this issue. The vulnerability is fixed in Okta Browser Plugin versi... • https://trust.okta.com/security-advisories/okta-browser-plugin-reflected-cross-site-scripting-cve-2024-0981 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2024-0980
https://notcve.org/view.php?id=CVE-2024-0980
27 Mar 2024 — The Auto-update service for Okta Verify for Windows is vulnerable to two flaws which in combination could be used to execute arbitrary code. El servicio de actualización automática de Okta Verify para Windows es vulnerable a dos fallas que, en combinación, podrían usarse para ejecutar código arbitrario. • https://trust.okta.com/security-advisories/okta-verify-windows-auto-update-arbitrary-code-execution-cve-2024-0980 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-427: Uncontrolled Search Path Element •
CVSS: 6.7EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0392
https://notcve.org/view.php?id=CVE-2023-0392
08 Nov 2023 — The LDAP Agent Update service with versions prior to 5.18 used an unquoted path, which could allow arbitrary code execution. El servicio LDAP Agent Update con versiones anteriores a la 5.18 utilizaba una ruta sin comillas, lo que podía permitir la ejecución de código arbitrario. • https://trust.okta.com/security-advisories/okta-ldap-agent-cve-2023-0392 • CWE-428: Unquoted Search Path or Element •
CVSS: 5.5EPSS: 0%CPEs: 1EXPL: 1CVE-2021-45094
https://notcve.org/view.php?id=CVE-2021-45094
20 Jul 2023 — Imprivata Privileged Access Management (formally Xton Privileged Access Management) 2.3.202112051108 allows XSS. • https://aegis9.com.au/blog • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 10.0EPSS: 0%CPEs: 1EXPL: 0CVE-2023-0093
https://notcve.org/view.php?id=CVE-2023-0093
06 Mar 2023 — Okta Advanced Server Access Client versions 1.13.1 through 1.65.0 are vulnerable to command injection due to the third party library webbrowser. An outdated library, webbrowser, used by the ASA client was found to be vulnerable to command injection. To exploit this issue, an attacker would need to phish the user to enter an attacker controlled server URL during enrollment. • https://trust.okta.com/security-advisories/okta-advanced-server-access-client-cve-2023-0093 • CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 0CVE-2022-3145
https://notcve.org/view.php?id=CVE-2022-3145
12 Jan 2023 — An open redirect vulnerability exists in Okta OIDC Middleware prior to version 5.0.0 allowing an attacker to redirect a user to an arbitrary URL. Existe una vulnerabilidad de redireccionamiento abierto en Okta OIDC Middleware anterior a la versión 5.0.0 que permite a un atacante redirigir a un usuario a una URL arbitraria. • https://github.com/okta/okta-oidc-middleware/security/advisories/GHSA-58h4-9m7m-j9m4 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •