CVE-2024-22477 - OpenCVE

A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity High

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Pingidentity	Pingfederate

Configuration 1 [-]

OR	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate::::::::
	cpe:2.3:a:pingidentity:pingfederate:12.0.0:::::::*

No data.

References

Link	Providers
https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083

History

Mon, 19 Aug 2024 14:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		Pingidentity Pingidentity pingfederate
CPEs		cpe:2.3:a:pingidentity:pingfederate:::::::: cpe:2.3:a:pingidentity:pingfederate:12.0.0:::::::*
Vendors & Products		Pingidentity Pingidentity pingfederate

MITRE

Status: PUBLISHED

Assigner: Ping Identity

Published: 2024-07-09T23:01:28.611Z

Updated: 2024-08-01T22:51:09.905Z

Reserved: 2024-01-17T17:27:24.603Z

Link: CVE-2024-22477

Vulnrichment

Updated: 2024-08-01T22:51:09.905Z

NVD

Status : Analyzed

Published: 2024-07-09T23:15:10.827

Modified: 2024-08-19T14:21:51.203

Link: CVE-2024-22477

Redhat

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-22477", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "state": "PUBLISHED", "assignerShortName": "Ping Identity", "dateReserved": "2024-01-17T17:27:24.603Z", "datePublished": "2024-07-09T23:01:28.611Z", "dateUpdated": "2024-08-01T22:51:09.905Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "defaultStatus": "unaffected", "product": "PingFederate", "vendor": "Ping Identity", "versions": [{"lessThanOrEqual": "11.0.9", "status": "affected", "version": "11.0.0", "versionType": "custom"}, {"lessThanOrEqual": "11.1.9", "status": "affected", "version": "11.1.0", "versionType": "custom"}, {"lessThanOrEqual": "11.2.8", "status": "affected", "version": "11.2.0", "versionType": "custom"}, {"lessThanOrEqual": "11.3.4", "status": "affected", "version": "11.3.0", "versionType": "custom"}, {"status": "affected", "version": "12.0.0", "versionType": "custom"}, {"lessThanOrEqual": "10.3.13", "status": "affected", "version": "10.3.0", "versionType": "custom"}]}], "configurations": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.<br>"}], "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue."}], "datePublic": "2024-07-09T22:27:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.<br>"}], "value": "A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only."}], "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 1.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2024-07-09T23:01:28.611Z"}, "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "source": {"discovery": "UNKNOWN"}, "title": "PingFederate OIDC Policy Management Editor Cross-Site Scripting", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2024-07-10T13:29:31.833138Z", "id": "CVE-2024-22477", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T13:30:14.614Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:51:09.905Z"}, "title": "CVE Program Container", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083", "tags": ["x_transferred"]}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083", "tags": ["x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-01T22:51:09.905Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-22477", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-07-10T13:29:31.833138Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-07-10T13:30:09.753Z"}}], "cna": {"title": "PingFederate OIDC Policy Management Editor Cross-Site Scripting", "source": {"discovery": "UNKNOWN"}, "impacts": [{"capecId": "CAPEC-592", "descriptions": [{"lang": "en", "value": "CAPEC-592 Stored XSS"}]}], "metrics": [{"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 1.8, "attackVector": "ADJACENT_NETWORK", "baseSeverity": "LOW", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "NONE"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Ping Identity", "product": "PingFederate", "versions": [{"status": "affected", "version": "11.0.0", "versionType": "custom", "lessThanOrEqual": "11.0.9"}, {"status": "affected", "version": "11.1.0", "versionType": "custom", "lessThanOrEqual": "11.1.9"}, {"status": "affected", "version": "11.2.0", "versionType": "custom", "lessThanOrEqual": "11.2.8"}, {"status": "affected", "version": "11.3.0", "versionType": "custom", "lessThanOrEqual": "11.3.4"}, {"status": "affected", "version": "12.0.0", "versionType": "custom"}, {"status": "affected", "version": "10.3.0", "versionType": "custom", "lessThanOrEqual": "10.3.13"}], "collectionURL": "https://www.pingidentity.com/en/resources/downloads/pingfederate.html", "defaultStatus": "unaffected"}], "datePublic": "2024-07-09T22:27:00.000Z", "references": [{"url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.", "supportingMedia": [{"type": "text/html", "value": "A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-79", "description": "CWE-79 Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting')"}]}], "configurations": [{"lang": "en", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.", "supportingMedia": [{"type": "text/html", "value": "All instances of PingFederate on vulnerable versions are vulnerable to this issue.<br>", "base64": false}]}], "providerMetadata": {"orgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "shortName": "Ping Identity", "dateUpdated": "2024-07-09T23:01:28.611Z"}}}, "cveMetadata": {"cveId": "CVE-2024-22477", "state": "PUBLISHED", "dateUpdated": "2024-08-01T22:51:09.905Z", "dateReserved": "2024-01-17T17:27:24.603Z", "assignerOrgId": "5998a2e9-ae88-42cd-b6e0-7564fd979f9e", "datePublished": "2024-07-09T23:01:28.611Z", "assignerShortName": "Ping Identity"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "73C9BB16-0B50-40AD-991D-CE55D1B4DE56", "versionEndIncluding": "10.3.13", "versionStartIncluding": "10.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4A809B38-F404-4DB2-BD2C-68D2D4B98A68", "versionEndIncluding": "11.0.9", "versionStartIncluding": "11.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "703CAE2D-061F-4FCC-A640-2649656830E4", "versionEndIncluding": "11.1.9", "versionStartIncluding": "11.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "9E7DA8B9-7439-4ABC-A37A-D9FF13D8884C", "versionEndIncluding": "11.2.8", "versionStartIncluding": "11.2.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:*:*:*:*:*:*:*:*", "matchCriteriaId": "4425C90D-DBB8-4090-A8F0-8ECE129D19DD", "versionEndIncluding": "11.3.4", "versionStartIncluding": "11.3.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:pingidentity:pingfederate:12.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A62E1361-EFC7-4242-88AD-995A113A6CFC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A cross-site scripting vulnerability exists in the admin console OIDC Policy Management Editor. The impact is contained to admin console users only."}, {"lang": "es", "value": "Existe una vulnerabilidad de Cross Site Scripting en la consola de administraci\u00f3n de OIDC Policy Management Editor. El impacto est\u00e1 limitado a los usuarios de la consola de administraci\u00f3n \u00fanicamente."}], "id": "CVE-2024-22477", "lastModified": "2024-08-19T14:21:51.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "CHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 2.7, "source": "nvd@nist.gov", "type": "Primary"}, {"cvssData": {"attackComplexity": "HIGH", "attackVector": "ADJACENT_NETWORK", "availabilityImpact": "NONE", "baseScore": 1.8, "baseSeverity": "LOW", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:U/C:N/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 0.4, "impactScore": 1.4, "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}, "published": "2024-07-09T23:15:10.827", "references": [{"source": "responsible-disclosure@pingidentity.com", "tags": ["Broken Link", "Vendor Advisory"], "url": "https://docs.pingidentity.com/r/en-us/pingfederate-120/lwu1707324350083"}], "sourceIdentifier": "responsible-disclosure@pingidentity.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-79"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-79"}], "source": "responsible-disclosure@pingidentity.com", "type": "Secondary"}]}