Primary

Context

Ping Identity PingFederate Cross-Site Scripting Vulnerability in Administrative Console

Vulnerability

Patched

A cross-site scripting vulnerability has been identified in Ping Identity PingFederate. Unsanitized user-supplied data saved in the Administrative Console can trigger the execution of JavaScript code during subsequent user processing. This issue affects PingFederate versions 11.1.6, 11.1.7, 11.2.6, 11.2.7, 11.3.6, 11.3.7, 12.0.6, 12.0.7, 12.1.6, and 12.1.7.

Impact

Exploitation of this vulnerability allows for cross-site scripting, where an attacker can inject and execute malicious scripts in the context of the user's browser.

Reproduction

To reproduce this vulnerability, save unsanitized data in the PingFederate Administrative Console. When the data is processed by another user, the injected JavaScript code will execute, demonstrating the cross-site scripting vulnerability.

Remediation

Users can upgrade to PingFederate versions 11.1.8, 11.2.8, 11.3.8, 12.0.8, or 12.1.8, where this vulnerability has been fixed.

Added: Jun 15, 2025, 4:18 PM

Updated: Jun 15, 2025, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.2

threat

1.6

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

1.7

exploitability

5.0

remediation

7.7

relevance

0.2

threat

1.6

urgency

10.0

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Ping Identity PingFederate Cross-Site Scripting Vulnerability in Administrative Console

Vulnerability

Impact

Reproduction

Remediation

Affected Products

PingFederate

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating