VYPR
Vendor

One Identity

Products
8
CVEs
15
Across products
16
Status
Private

Products

8

Recent CVEs

15
  • CVE-2024-45488CriAug 30, 2024
    risk 0.68cvss 9.8epss 0.50

    One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.

  • CVE-2024-56404CriJan 24, 2025
    risk 0.64cvss 9.9epss 0.01

    In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected.

  • CVE-2023-48654CriDec 25, 2023
    risk 0.64cvss 9.8epss 0.01

    One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape…

  • CVE-2023-51772HigDec 25, 2023
    risk 0.57cvss 8.8epss 0.01

    One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape…

  • CVE-2019-13496HigNov 4, 2019
    risk 0.53cvss 8.1epss 0.01

    One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response.

  • CVE-2025-59363HigSep 14, 2025
    risk 0.50cvss 7.7epss 0.00

    In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),

  • CVE-2025-27582HigJul 14, 2025
    risk 0.49cvss 7.6epss 0.00

    The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the…

  • CVE-2023-4003HigSep 27, 2023
    risk 0.49cvss 7.6epss 0.00

    One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges.

  • CVE-2019-13498HigJul 29, 2019
    risk 0.48cvss 7.4epss 0.01

    One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.

  • CVE-2019-13497MedNov 4, 2019
    risk 0.42cvss 6.5epss 0.01

    One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.

  • CVE-2020-7962MedNov 13, 2020
    risk 0.35cvss 5.3epss 0.01

    An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password.…

  • CVE-2024-40595MedOct 24, 2024
    risk 0.34cvss 5.3epss 0.00

    An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext…

  • CVE-2025-52925MedJul 2, 2025
    risk 0.33cvss 5.0epss 0.00

    In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812.

  • CVE-2025-56689MedSep 3, 2025
    risk 0.30cvss 4.6epss 0.01

    One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP…

  • CVE-2025-52924MedJul 19, 2025
    risk 0.26cvss 4.0epss 0.00

    In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.