120 matches found
One Identity OneLogin SQL注入漏洞
One Identity OneLogin is an identity and access management software from US-based One Identity. An SQL injection vulnerability exists in One Identity OneLogin versions prior to 2025.2.0, which stems from an improperly set SQL connection application name that could lead to information disclosure...
CVE-2025-52924
In One Identity OneLogin before 2025.2.0, the SQL connection "application name" is set based on the value of an untrusted X-RequestId HTTP request header...
CVE-2025-52924
CVE-2025-52924 affects One Identity OneLogin before 2025.2.0, where the SQL connection “application name” is derived from an untrusted X-RequestId header. This can lead to information disclosure about the SQL connection name. Affected: OneLogin prior to 2025.2.0. Impact per sources: low confident...
CVE-2025-52925
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812...
CVE-2025-34063
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary user...
CVE-2025-34064
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket onelogin-adc-logs-production without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. The...
CVE-2025-34062
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directorytoken—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext respon...
CVE-2025-52925
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812...
CVE-2025-52925
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812...
CVE-2025-52925
In One Identity OneLogin Active Directory Connector before 6.1.5, encryption of the DirectoryToken was mishandled, aka ST-812...
CVE-2025-52925
The vulnerability CVE-2025-52925 affects One Identity OneLogin Active Directory Connector versions prior to 6.1.5, where DirectoryToken encryption was mishandled (aka ST-812). Affected component: the connector’s encryption handling of DirectoryToken. Reported impact is limited to the mismanagemen...
One Identity OneLogin Active Directory Connector 安全漏洞
One Identity OneLogin Active Directory Connector is a connector software from One Identity USA. A security vulnerability exists in One Identity OneLogin Active Directory Connector versions prior to 6.1.5 that stems from improper handling of DirectoryToken encryption...
CVE-2025-34064
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket onelogin-adc-logs-production without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. The...
CVE-2025-34062
An information disclosure vulnerability exists in OneLogin AD Connector versions prior to 6.1.5 via the /api/adc/v4/configuration endpoint. An attacker with access to a valid directorytoken—which may be retrievable from host registry keys or improperly secured logs—can retrieve a plaintext respon...
CVE-2025-34063
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary user...
CVE-2025-34064 OneLogin AD Connector Log S3 Bucket Hijack Leading to Cross-Tenant Data Leakage
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket onelogin-adc-logs-production without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. The...
CVE-2025-34064
OneLogin AD Connector is affected by a cloud infrastructure misconfiguration that sends log data to a hardcoded S3 bucket (onelogin-adc-logs-production) without validating bucket ownership. An attacker who registers an unclaimed bucket can receive log files from other tenants, potentially exposin...
CVE-2025-34064 OneLogin AD Connector Log S3 Bucket Hijack Leading to Cross-Tenant Data Leakage
A cloud infrastructure misconfiguration in OneLogin AD Connector results in log data being sent to a hardcoded S3 bucket onelogin-adc-logs-production without validating bucket ownership. An attacker who registers this unclaimed bucket can begin receiving log files from other OneLogin tenants. The...
CVE-2025-34063 OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary user...
CVE-2025-34063 OneLogin AD Connector JWT Authentication Bypass via Exposed Signing Key
A cryptographic authentication bypass vulnerability exists in OneLogin AD Connector prior to 6.1.5 due to the exposure of a tenant’s SSO JWT signing key via the /api/adc/v4/configuration endpoint. An attacker in possession of the signing key can craft valid JWT tokens impersonating arbitrary user...