Active Directory Federation Services
by Microsoft
CVEs (20)
| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2016-0037 | Hig | 0.51 | 7.5 | 0.26 | Feb 10, 2016 | The forms-based authentication implementation in Active Directory Federation Services (ADFS) 3.0 in Microsoft Windows Server 2012 R2 allows remote attackers to cause a denial of service (daemon outage) via crafted data, aka "Microsoft Active Directory Federation Services Denial… | ||
| CVE-2022-30215 | Hig | 0.49 | 7.5 | 0.01 | Jul 12, 2022 | Active Directory Federation Services Elevation of Privilege Vulnerability | ||
| CVE-2018-8340 | Med | 0.43 | 6.5 | 0.08 | Aug 15, 2018 | A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests, aka "AD FS Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows Server 2012 R2, Windows 10… | ||
| CVE-2023-35348 | Med | 0.42 | 6.5 | 0.01 | Jul 11, 2023 | Active Directory Federation Service Security Feature Bypass Vulnerability | ||
| CVE-2019-0975 | Med | 0.41 | 6.3 | 0.02 | Jul 15, 2019 | A security feature bypass vulnerability exists when Active Directory Federation Services (ADFS) improperly updates its list of banned IP addresses. To exploit this vulnerability, an attacker would have to convince a victim ADFS administrator to update the list of banned IP… | ||
| CVE-2020-1055 | Med | 0.40 | 6.1 | 0.02 | May 21, 2020 | A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize user inputs, aka 'Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability'. | ||
| CVE-2021-41361 | Med | 0.35 | 5.4 | 0.01 | Oct 13, 2021 | Active Directory Federation Server Spoofing Vulnerability | ||
| CVE-2019-1273 | Med | 0.35 | 5.4 | 0.02 | Sep 11, 2019 | A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'. | ||
| CVE-2019-1126 | Med | 0.35 | 5.3 | 0.05 | Jul 15, 2019 | A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker… | ||
| CVE-2018-8547 | Med | 0.35 | 5.4 | 0.02 | Nov 14, 2018 | A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Active Directory Federation Services XSS… | ||
| CVE-2018-8326 | Med | 0.35 | 5.4 | 0.02 | Jul 11, 2018 | A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active… | ||
| CVE-2017-0043 | Med | 0.35 | 5.3 | 0.02 | Mar 17, 2017 | Active Directory Federation Services in Microsoft Windows 10 1607, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Windows Server 2016 allows local users to obtain sensitive information via a crafted application, aka "Microsoft Active Directory… | ||
| CVE-2020-0837 | Med | 0.33 | 5.0 | 0.01 | Sep 11, 2020 | An elevation of privilege vulnerability exists when Active Directory Federation Services (ADFS) improperly handles multi-factor authentication requests. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication… | ||
| CVE-2013-3185 | 0.03 | — | 0.41 | Aug 14, 2013 | Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 on Windows Server 2003 R2 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allows remote attackers to obtain sensitive information about the service account, and possibly conduct… | |||
| CVE-2014-6331 | 0.02 | — | 0.20 | Nov 11, 2014 | Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended… | |||
| CVE-2015-1757 | 0.01 | — | 0.11 | Jun 10, 2015 | Cross-site scripting (XSS) vulnerability in adfs/ls in Active Directory Federation Services (AD FS) in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 allows remote attackers to inject arbitrary web script or HTML via the wct parameter, aka "ADFS XSS Elevation of… | |||
| CVE-2015-1638 | 0.01 | — | 0.13 | Apr 14, 2015 | Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2 does not properly handle logoff actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation, aka "Active Directory Federation Services… | |||
| CVE-2009-2509 | 0.01 | — | 0.17 | Dec 9, 2009 | Active Directory Federation Services (ADFS) in Microsoft Windows Server 2003 SP2 and Server 2008 Gold and SP2 does not properly validate headers in HTTP requests, which allows remote authenticated users to execute arbitrary code via a crafted request to an IIS web server, aka… | |||
| CVE-2025-21193 | 0.00 | — | 0.01 | Jan 14, 2025 | Active Directory Federation Server Spoofing Vulnerability | |||
| CVE-2009-2508 | 0.00 | — | 0.01 | Dec 9, 2009 | The single sign-on implementation in Active Directory Federation Services (ADFS) in Microsoft Windows Server 2003 SP2 and Server 2008 Gold and SP2 does not properly remove credentials at the end of a network session, which allows physically proximate attackers to obtain the… |
- risk 0.51cvss 7.5epss 0.26
The forms-based authentication implementation in Active Directory Federation Services (ADFS) 3.0 in Microsoft Windows Server 2012 R2 allows remote attackers to cause a denial of service (daemon outage) via crafted data, aka "Microsoft Active Directory Federation Services Denial…
- risk 0.49cvss 7.5epss 0.01
Active Directory Federation Services Elevation of Privilege Vulnerability
- risk 0.43cvss 6.5epss 0.08
A security feature bypass vulnerability exists when Active Directory Federation Services (AD FS) improperly handles multi-factor authentication requests, aka "AD FS Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows Server 2012 R2, Windows 10…
- risk 0.42cvss 6.5epss 0.01
Active Directory Federation Service Security Feature Bypass Vulnerability
- risk 0.41cvss 6.3epss 0.02
A security feature bypass vulnerability exists when Active Directory Federation Services (ADFS) improperly updates its list of banned IP addresses. To exploit this vulnerability, an attacker would have to convince a victim ADFS administrator to update the list of banned IP…
- risk 0.40cvss 6.1epss 0.02
A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize user inputs, aka 'Microsoft Active Directory Federation Services Cross-Site Scripting Vulnerability'.
- risk 0.35cvss 5.4epss 0.01
Active Directory Federation Server Spoofing Vulnerability
- risk 0.35cvss 5.4epss 0.02
A cross-site-scripting (XSS) vulnerability exists when Active Directory Federation Services (ADFS) does not properly sanitize certain error messages, aka 'Active Directory Federation Services XSS Vulnerability'.
- risk 0.35cvss 5.3epss 0.05
A security feature bypass vulnerability exists in Active Directory Federation Services (ADFS) which could allow an attacker to bypass the extranet lockout policy.To exploit this vulnerability, an attacker could run a specially crafted application, which would allow an attacker…
- risk 0.35cvss 5.4epss 0.02
A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Active Directory Federation Services XSS…
- risk 0.35cvss 5.4epss 0.02
A cross-site-scripting (XSS) vulnerability exists when an open source customization for Microsoft Active Directory Federation Services (AD FS) does not properly sanitize a specially crafted web request to an affected AD FS server, aka "Open Source Customization for Active…
- risk 0.35cvss 5.3epss 0.02
Active Directory Federation Services in Microsoft Windows 10 1607, Windows Server 2008 SP2 and R2 SP1, Windows Server 2012 Gold and R2, and Windows Server 2016 allows local users to obtain sensitive information via a crafted application, aka "Microsoft Active Directory…
- risk 0.33cvss 5.0epss 0.01
An elevation of privilege vulnerability exists when Active Directory Federation Services (ADFS) improperly handles multi-factor authentication requests. An attacker who successfully exploited this vulnerability could bypass some, but not all, of the authentication…
- CVE-2013-3185Aug 14, 2013risk 0.03cvss —epss 0.41
Microsoft Active Directory Federation Services (AD FS) 1.x through 2.1 on Windows Server 2003 R2 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 allows remote attackers to obtain sensitive information about the service account, and possibly conduct…
- CVE-2014-6331Nov 11, 2014risk 0.02cvss —epss 0.20
Microsoft Active Directory Federation Services (AD FS) 2.0, 2.1, and 3.0, when a configured SAML Relying Party lacks a sign-out endpoint, does not properly process logoff actions, which makes it easier for remote attackers to obtain access by leveraging an unattended…
- CVE-2015-1757Jun 10, 2015risk 0.01cvss —epss 0.11
Cross-site scripting (XSS) vulnerability in adfs/ls in Active Directory Federation Services (AD FS) in Microsoft Windows Server 2008 SP2 and R2 SP1 and Server 2012 allows remote attackers to inject arbitrary web script or HTML via the wct parameter, aka "ADFS XSS Elevation of…
- CVE-2015-1638Apr 14, 2015risk 0.01cvss —epss 0.13
Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2 does not properly handle logoff actions, which allows remote attackers to bypass intended access restrictions by leveraging an unattended workstation, aka "Active Directory Federation Services…
- CVE-2009-2509Dec 9, 2009risk 0.01cvss —epss 0.17
Active Directory Federation Services (ADFS) in Microsoft Windows Server 2003 SP2 and Server 2008 Gold and SP2 does not properly validate headers in HTTP requests, which allows remote authenticated users to execute arbitrary code via a crafted request to an IIS web server, aka…
- CVE-2025-21193Jan 14, 2025risk 0.00cvss —epss 0.01
Active Directory Federation Server Spoofing Vulnerability
- CVE-2009-2508Dec 9, 2009risk 0.00cvss —epss 0.01
The single sign-on implementation in Active Directory Federation Services (ADFS) in Microsoft Windows Server 2003 SP2 and Server 2008 Gold and SP2 does not properly remove credentials at the end of a network session, which allows physically proximate attackers to obtain the…