One Identity
Products
8- 5 CVEs
- 3 CVEs
- 3 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 0 CVEs
Recent CVEs
15| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2024-45488 | Cri | 0.68 | 9.8 | 0.50 | Aug 30, 2024 | One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2. | ||
| CVE-2024-56404 | Cri | 0.64 | 9.9 | 0.01 | Jan 24, 2025 | In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected. | ||
| CVE-2023-48654 | Cri | 0.64 | 9.8 | 0.01 | Dec 25, 2023 | One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape… | ||
| CVE-2023-51772 | Hig | 0.57 | 8.8 | 0.01 | Dec 25, 2023 | One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape… | ||
| CVE-2019-13496 | Hig | 0.53 | 8.1 | 0.01 | Nov 4, 2019 | One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response. | ||
| CVE-2025-59363 | Hig | 0.50 | 7.7 | 0.00 | Sep 14, 2025 | In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created), | ||
| CVE-2025-27582 | Hig | 0.49 | 7.6 | 0.00 | Jul 14, 2025 | The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the… | ||
| CVE-2023-4003 | Hig | 0.49 | 7.6 | 0.00 | Sep 27, 2023 | One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges. | ||
| CVE-2019-13498 | Hig | 0.48 | 7.4 | 0.01 | Jul 29, 2019 | One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4. | ||
| CVE-2019-13497 | Med | 0.42 | 6.5 | 0.01 | Nov 4, 2019 | One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | ||
| CVE-2020-7962 | Med | 0.35 | 5.3 | 0.01 | Nov 13, 2020 | An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password.… | ||
| CVE-2024-40595 | Med | 0.34 | 5.3 | 0.00 | Oct 24, 2024 | An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext… | ||
| CVE-2025-52925 | Med | 0.33 | 5.0 | 0.00 | Jul 2, 2025 | In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812. | ||
| CVE-2025-56689 | Med | 0.30 | 4.6 | 0.01 | Sep 3, 2025 | One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP… | ||
| CVE-2025-52924 | Med | 0.26 | 4.0 | 0.00 | Jul 19, 2025 | In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header. |
- risk 0.68cvss 9.8epss 0.50
One Identity Safeguard for Privileged Passwords before 7.5.2 allows unauthorized access because of an issue related to cookies. This only affects virtual appliance installations (VMware or HyperV). The fixed versions are 7.0.5.1 LTS, 7.4.2, and 7.5.2.
- risk 0.64cvss 9.9epss 0.01
In One Identity Identity Manager 9.x before 9.3, an insecure direct object reference (IDOR) vulnerability allows privilege escalation. Only On-Premise installations are affected.
- risk 0.64cvss 9.8epss 0.01
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape…
- risk 0.57cvss 8.8epss 0.01
One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape…
- risk 0.53cvss 8.1epss 0.01
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response.
- risk 0.50cvss 7.7epss 0.00
In One Identity OneLogin before 2025.3.0, a request returns the OIDC client secret with GET Apps API v2 (even though this secret should only be returned when an App is first created),
- risk 0.49cvss 7.6epss 0.00
The Secure Password extension in One Identity Password Manager before 5.14.4 allows local privilege escalation. The issue arises from a flawed security hardening mechanism within the kiosk browser used to display the Password Self-Service site to end users. Specifically, the…
- risk 0.49cvss 7.6epss 0.00
One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges.
- risk 0.48cvss 7.4epss 0.01
One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4.
- risk 0.42cvss 6.5epss 0.01
One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests.
- risk 0.35cvss 5.3epss 0.01
An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password.…
- risk 0.34cvss 5.3epss 0.00
An authentication-bypass issue in the RDP component of One Identity Safeguard for Privileged Sessions (SPS) On Premise before 7.5.1 (and LTS before 7.0.5.1) allows man-in-the-middle attackers to obtain access to privileged sessions on target resources by intercepting cleartext…
- risk 0.33cvss 5.0epss 0.00
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812.
- risk 0.30cvss 4.6epss 0.01
One Identity by Quest Safeguard for Privileged Passwords Appliance 7.5.1.20903 is vulnerable to One Time Password (OTP)/Multifactor Authentication (MFA) bypass using response manipulation. An attacker who intercepts or captures a valid OTP response can bypass the OTP…
- risk 0.26cvss 4.0epss 0.00
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header.