Floragasse 7 – 5th floor, 1040 Vienna
Subscribe to our Newsletter

News

SBA Security Advisory – Ping Identity Agentless Integration Kit – Reflected Cross-site Scripting (XSS) (CVE-2019-13564)

Vulnerability Overview

Ping Identity Agentless Integration Kit before 1.5 is susceptible to Reflected Cross-site Scripting at the /as/authorization.oauth2 endpoint due to improper encoding of an arbitrarily submitted HTTP GET parameter name.

  • Type of Vulnerability: Cross-site Scripting
  • Fixed in Version: 1.5
  • CVE ID: CVE-2019-13564
  • CVSSv3 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
  • CVSSv3 Base Score: 6.1 (Medium)

Recommended Countermeasure

We recommend to update Ping Identity Agentless Integration Kit to version 1.5 or later. For further details, see the full security advisory.

Links

Full Security Advisory

Credits