CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2024-25573 – Stored Cross-Site Scripting in Administrative Console Context
https://notcve.org/view.php?id=CVE-2024-25573
15 Jun 2025 — Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing. • https://docs.pingidentity.com/pingfederate/12.1/release_notes/pf_release_notes.html • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22854 – Possible thread exhaustion from processing http responses in PingFederate Google Adapter
https://notcve.org/view.php?id=CVE-2025-22854
15 Jun 2025 — Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions. Improper handling of non-200 http responses in the PingFederate Google Adapter leads to thread exhaustion under normal usage conditions. • https://docs.pingidentity.com/integrations/google/google_login_integration_kit/pf_google_cic_changelog.html • CWE-394: Unexpected Status Code or Return Value •
CVSS: 9.1EPSS: 0%CPEs: 4EXPL: 0CVE-2025-21085 – PingFederate OAuth Grant attribute duplication may use excessive memory
https://notcve.org/view.php?id=CVE-2025-21085
15 Jun 2025 — PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization. • https://support.pingidentity.com/s/article/PingFederate-grant-attribute-duplication-with-PostgreSQL • CWE-462: Duplicate Key in Associative List (Alist) •
CVSS: 9.2EPSS: 0%CPEs: 1EXPL: 0CVE-2025-20059 – PingAM Java Policy Agent path traversal
https://notcve.org/view.php?id=CVE-2025-20059
20 Feb 2025 — Relative Path Traversal vulnerability in Ping Identity PingAM Java Policy Agent allows Parameter Injection.This issue affects PingAM Java Policy Agent: through 5.10.3, through 2023.11.1, through 2024.9. • https://backstage.forgerock.com/knowledge/advisories/article/a61848355 • CWE-23: Relative Path Traversal •
CVSS: 7.5EPSS: 0%CPEs: 7EXPL: 0CVE-2024-23983 – Access rules for PingAccess may be circumvented with URL-encoded characters
https://notcve.org/view.php?id=CVE-2024-23983
11 Nov 2024 — Improper handling of canonical URL-encoding may lead to bypass not properly constrained by request rules. • https://docs.pingidentity.com/pingaccess/latest/release_notes/pa_811_rn.html • CWE-20: Improper Input Validation CWE-177: Improper Handling of URL Encoding (Hex Encoding) •
CVSS: 6.1EPSS: 0%CPEs: 5EXPL: 0CVE-2024-25566 – Open Redirect in PingAM
https://notcve.org/view.php?id=CVE-2024-25566
29 Oct 2024 — An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks • https://backstage.forgerock.com/downloads/browse/am/featured • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 5.0EPSS: 0%CPEs: 1EXPL: 1CVE-2024-23600 – PingIDM Query Filter Vulnerability
https://notcve.org/view.php?id=CVE-2024-23600
01 Aug 2024 — Improper Input Validation of query search results for private field data in PingIDM OPENIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure. Improper Input Validation of query search results for private field data in PingIDM (Query Filter module) allows for a potentially efficient brute forcing approach leading to information disclosure. Ping Identity PingIDM versions 7.0.0 through 7.5.0 enabled an attacker with read access to the User collec... • https://packetstorm.news/files/id/182457 • CWE-20: Improper Input Validation •
CVSS: 7.5EPSS: 0%CPEs: 4EXPL: 0CVE-2024-21832 – PingFederate REST API Data Store Injection
https://notcve.org/view.php?id=CVE-2024-21832
09 Jul 2024 — A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body. Existe un posible vector de ataque de inyección JSON en los almacenes de datos de la API REST de PingFederate utilizando el método POST y un cuerpo de solicitud JSON. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-94: Improper Control of Generation of Code ('Code Injection') •
CVSS: 5.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22377 – PingFederate Runtime Node Path Traversal
https://notcve.org/view.php?id=CVE-2024-22377
09 Jul 2024 — The deploy directory in PingFederate runtime nodes is reachable to unauthorized users. El directorio de implementación en los nodos de tiempo de ejecución de PingFederate es accesible para usuarios no autorizados. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2024-22477 – PingFederate OIDC Policy Management Editor Cross-Site Scripting
https://notcve.org/view.php?id=CVE-2024-22477
09 Jul 2024 — A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only. Existe una vulnerabilidad de Cross Site Scripting en la consola de administración de OIDC Policy Management Editor. El impacto está limitado a los usuarios de la consola de administración únicamente. • https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •