Cross-Site Request Forgery on PingFederate Local Identity Profiles Endpoint.
CVE-2022-40724

6.4MEDIUM

Key Information:

Vendor: Ping Identity
Status: Pingfederate
Vendor: CVE Published:; 25 April 2023

🔔 Create Ping Identity Vulnerability Alert

What is CVE-2022-40724?

The PingFederate Local Identity Profiles '/pf/idprofile.ping' endpoint is vulnerable to Cross-Site Request Forgery (CSRF) through crafted GET requests.

Affected Version(s)

PingFederate 10.3.0 < 10.3.0*

PingFederate 10.3.11

PingFederate 11.0.0 < 11.0.0*

References

https://docs.pingidentity.com/r/en-us/pingfederate-110/fl...

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 25, 2023
Vulnerability Reserved
Sep 14, 2022