CVSS: 7.3EPSS: 0%CPEs: 1EXPL: 0CVE-2023-39231 – PingFederate PingOne MFA IK Device Pairing Second Factor Authentication Bypass
https://notcve.org/view.php?id=CVE-2023-39231
PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of a victim user's first factor credentials. PingFederate utilizando el adaptador PingOne MFA permite emparejar un nuevo dispositivo MFA sin requerir autenticación de segundo factor de un dispositivo registrado existente. Un actor de amenazas puede aprovechar esta vulnerabilidad para registrar su propio dispositivo MFA si tiene conocimiento de las credenciales del primer factor del usuario víctima. • https://docs.pingidentity.com/r/en-us/pingfederate-pingone-mfa-ik/bks1657303194394 https://www.pingidentity.com/en/resources/downloads/pingid.html • CWE-288: Authentication Bypass Using an Alternate Path or Channel CWE-306: Missing Authentication for Critical Function •
CVSS: 7.7EPSS: 0%CPEs: 5EXPL: 0CVE-2022-23723 – PingFederate PingOneMFA Integration Kit MFA Bypass
https://notcve.org/view.php?id=CVE-2022-23723
An MFA bypass vulnerability exists in the PingFederate PingOne MFA Integration Kit when adapter HTML templates are used as part of an authentication flow. Se presenta una vulnerabilidad de omisión de MFA en el kit de integración de PingFederate PingOne MFA cuando son usadas plantillas HTML de adaptador como parte de un flujo de autenticación • https://docs.pingidentity.com/bundle/pingfederate-pingone-mfa-ik/page/wpt1599064234202.html https://www.pingidentity.com/en/resources/downloads/pingfederate.html • CWE-287: Improper Authentication CWE-288: Authentication Bypass Using an Alternate Path or Channel •