6 matches found
CVE-2021-35464
CVE-2021-35464 affects ForgeRock OpenAM/Access Management: Java deserialization in the JATO framework allows pre-auth remote code execution on ForgeRock AM Core Server when running versions prior to 7.0. An attacker can trigger RCE by sending a crafted HTTP request to endpoints like /ccversion/Ve...
CVE-2017-14394
The CVE-2017-14394 affects ForgeRock OpenAM (OAuth 2.0 Authorization Server) versions 13.5.0–13.5.1 and Access Management (AM) 5.0.0–5.1.1. The issue is improper validation of redirect_uri for certain invalid requests, enabling phishing via an unvalidated redirect. The provided documents do not s...
CVE-2017-14395
ForgeRock Access Management (OpenAM) 13.5.0–13.5.1 and Access Management (AM) 5.0.0–5.1.1 expose a vulnerability where redirect_uri is not properly validated for some invalid requests, enabling a reflected XSS to execute in the user’s browser. This CVE (CVE-2017-14395) is described in multiple so...
CVE-2021-29156
CVE-2021-29156 affects ForgeRock OpenAM (before 13.5.1). An LDAP injection vulnerability via the Webfinger protocol (and password-reset flow) allows unauthenticated attackers to perform character-by-character data extraction, potentially retrieving password hashes, session tokens, or a private ke...
CVE-2016-10097
CVE-2016-10097 affects ForgeRock OpenAM - Access Management 10.1.0. An XML External Entity (XXE) vulnerability exists in the endpoint /SSOPOST/metaAlias/%realm%/idpv2, allowing remote attackers to read arbitrary files via the SAMLRequest parameter. The issue is confirmed by multiple sources in co...
CVE-2014-7246
The CVE-2014-7246 entry concerns OpenAM Core Server versions 9.5.3–9.5.5, 10.0.0–10.0.2, 10.1.0-Xpress, and 11.0.0–11.0.2. A denial-of-service (infinite loop) can be triggered by a crafted cookie in requests when deployed in a multi-server configuration and accessed by remote authenticated users....