VYPR

Pingfederate

by Pingidentity

CVEs (19)

  • CVE-2024-25573MedJun 15, 2025
    risk 0.45cvss epss 0.00

    Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.

  • CVE-2023-40148MedApr 10, 2024
    risk 0.42cvss 6.5epss 0.00

    Server-side request forgery (SSRF) in PingFederate allows unauthenticated http requests to attack network resources and consume server-side resources via forged HTTP POST requests.

  • CVE-2024-21832LowJul 9, 2024
    risk 0.23cvss 3.5epss 0.00

    A potential JSON injection attack vector exists in PingFederate REST API data stores using the POST method and a JSON request body.

  • CVE-2025-21085LowJun 15, 2025
    risk 0.14cvss epss 0.00

    PingFederate OAuth2 grant duplication in PostgreSQL persistent storage allows OAuth2 requests to use excessive memory utilization.

  • CVE-2025-26862NonOct 27, 2025
    risk 0.00cvss epss 0.00

    Unexpected authentication form rendering in HTML Form Adapter using only non-default redirectless mode in PingFederate allows authentication attempts which may enable brute force login attacks.

  • CVE-2024-22377Jul 9, 2024
    risk 0.00cvss epss 0.00

    The deploy directory in PingFederate runtime nodes is reachable to unauthorized users.

  • CVE-2024-22477Jul 9, 2024
    risk 0.00cvss epss 0.00

    A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.

  • CVE-2023-40545Feb 6, 2024
    risk 0.00cvss epss 0.01

    Authentication bypass when an OAuth2 Client is using client_secret_jwt as its authentication method on affected 11.3 versions via specially crafted requests.

  • CVE-2023-34085Oct 25, 2023
    risk 0.00cvss epss 0.00

    When an AWS DynamoDB table is used for user attribute storage, it is possible to retrieve the attributes of another user using a maliciously crafted request

  • CVE-2023-39219Oct 25, 2023
    risk 0.00cvss epss 0.01

    PingFederate Administrative Console dependency contains a weakness where console becomes unresponsive with crafted Java class loading enumeration requests

  • CVE-2023-37283Oct 25, 2023
    risk 0.00cvss epss 0.01

    Under a very specific and highly unrecommended configuration, authentication bypass is possible in the PingFederate Identifier First Adapter

  • CVE-2023-39930Oct 24, 2023
    risk 0.00cvss epss 0.01

    A first-factor authentication bypass vulnerability exists in the PingFederate with PingID Radius PCV when a MSCHAP authentication request is sent via a maliciously crafted RADIUS client request.

  • CVE-2023-39231Oct 24, 2023
    risk 0.00cvss epss 0.01

    PingFederate using the PingOne MFA adapter allows a new MFA device to be paired without requiring second factor authentication from an existing registered device. A threat actor may be able to exploit this vulnerability to register their own MFA device if they have knowledge of…

  • CVE-2022-40724Apr 25, 2023
    risk 0.00cvss epss 0.00

    The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

  • CVE-2022-23722May 2, 2022
    risk 0.00cvss epss 0.01

    When a password reset mechanism is configured to use the Authentication API with an Authentication Policy, email One-Time Password, PingID or SMS authentication, an existing user can reset another existing user’s password.

  • CVE-2021-42000Feb 10, 2022
    risk 0.00cvss epss 0.01

    When a password reset or password change flow with an authentication policy is configured and the adapter in the reset or change policy supports multiple parallel reset flows, an existing user can reset another existing users password.

  • CVE-2021-41770Oct 7, 2021
    risk 0.00cvss epss 0.01

    Ping Identity PingFederate before 10.3.1 mishandles pre-parsing validation, leading to an XXE attack that can achieve XML file disclosure.

  • CVE-2021-40329Sep 27, 2021
    risk 0.00cvss epss 0.01

    The Authentication API in Ping Identity PingFederate before 10.3 mishandles certain aspects of external password management.

  • CVE-2014-8489Dec 12, 2014
    risk 0.00cvss epss 0.03

    Open redirect vulnerability in startSSO.ping in the SP Endpoints in Ping Identity PingFederate 6.10.1 allows remote attackers to redirect users to arbitrary web sites and conduct phishing attacks via a URL in the TargetResource parameter.