CVE-2024-25566

Published: Oct 29, 2024Modified: Nov 8, 2024

5.1

Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:XShow less

Source: responsible-disclosure@pingidentity.com (Secondary)

Description

An Open-Redirect vulnerability exists in PingAM where well-crafted requests may cause improper validation of redirect URLs. This could allow an attacker to redirect end-users to malicious sites under their control, simplifying phishing attacks

Affected (8)

Products: Forgerock: Access Management

Forgerock

1 product

Access Management

Configuration A

8 vulnerable

Vulnerable Software	Affected Versions
Forgerock Access Management	Up to 7.0.2
Forgerock Access Management	From 7.1.0 to 7.1.4
Forgerock Access Management	From 7.2.0 to 7.2.2
Forgerock Access Management	Version 7.3.0
Forgerock Access Management	Version 7.3.1
Forgerock Access Management	Version 7.4.0
Forgerock Access Management	Version 7.4.1
Forgerock Access Management	Version 7.5.0

Related CWEs

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.

References (2)

https://backstage.forgerock.com/downloads/browse/am/featured

Source: responsible-disclosure@pingidentity.com

Product

https://backstage.forgerock.com/knowledge/advisories/article/a63463303

Source: responsible-disclosure@pingidentity.com

MitigationVendor Advisory

Timeline

No history available yet.