Vulnerabilities > Forgerock

DATE CVE VULNERABILITY TITLE RISK
2021-08-25 CVE-2021-37154 XML Injection (aka Blind XPath Injection) vulnerability in Forgerock Access Management
In ForgeRock Access Management (AM) before 7.0.2, the SAML2 implementation allows XML injection, potentially enabling a fraudulent SAML 2.0 assertion.
network
low complexity
forgerock CWE-91
critical
9.8
2021-07-22 CVE-2021-35464 Deserialization of Untrusted Data vulnerability in Forgerock AM and Openam
ForgeRock AM server before 7.0 has a Java deserialization vulnerability in the jato.pageSession parameter on multiple pages.
network
low complexity
forgerock CWE-502
critical
9.8
2021-03-25 CVE-2021-29156 Injection vulnerability in Forgerock Openam
ForgeRock OpenAM before 13.5.1 allows LDAP injection via the Webfinger protocol.
network
low complexity
forgerock CWE-74
7.5
2020-08-31 CVE-2020-17465 Cross-site Scripting vulnerability in Forgerock Identity Manager 6.0.0.6/6.5.0.4
Dashboards and progressiveProfileForms in ForgeRock Identity Manager before 7.0.0 are vulnerable to stored XSS.
network
low complexity
forgerock CWE-79
6.1
2019-08-05 CVE-2019-3800 Information Exposure vulnerability in multiple products
CF CLI version prior to v6.45.0 (bosh release version 1.16.0) writes the client id and secret to its config file when the user authenticates with --client-credentials flag.
7.8
2019-06-19 CVE-2017-14395 Cross-site Scripting vulnerability in Forgerock Access Management and Openam
Auth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to execute a script in the user's browser via reflected XSS.
network
low complexity
forgerock CWE-79
6.1
2019-06-19 CVE-2017-14394 Open Redirect vulnerability in Forgerock Access Management and Openam
OAuth 2.0 Authorization Server of ForgeRock Access Management (OpenAM) 13.5.0-13.5.1 and Access Management (AM) 5.0.0-5.1.1 does not correctly validate redirect_uri for some invalid requests, which allows attackers to perform phishing via an unvalidated redirect.
network
low complexity
forgerock CWE-601
6.1
2018-02-21 CVE-2018-7272 Information Exposure vulnerability in Forgerock Access Management 5.0.0/5.1.0/5.1.1
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
network
low complexity
forgerock CWE-200
6.5
2017-02-03 CVE-2016-6500 Improper Input Validation vulnerability in Forgerock Racf Connector 1.1.0.0
Unspecified methods in the RACF Connector component before 1.1.1.0 in ForgeRock OpenIDM and OpenICF improperly call the SearchControls constructor with returnObjFlag set to true, which allows remote attackers to execute arbitrary code via a crafted serialized Java object, aka LDAP entry poisoning.
network
high complexity
forgerock CWE-20
8.1
2017-01-02 CVE-2016-10097 XXE vulnerability in Forgerock Openam 10.1.0
XML External Entity (XXE) Vulnerability in /SSOPOST/metaAlias/%realm%/idpv2 in OpenAM - Access Management 10.1.0 allows remote attackers to read arbitrary files via the SAMLRequest parameter.
network
low complexity
forgerock CWE-611
7.5