CVE-2018-7272
MEDIUMForgeRock Access Management < 5.5.0 - Exposure of Sensitive Information via SSOToken ID in REST API URLs
Title source: llmDescription
The REST APIs in ForgeRock AM before 5.5.0 include SSOToken IDs as part of the URL, which allows attackers to obtain sensitive information by finding an ID value in a log file.
References (2)
Core 2
Core References
Vendor Advisory x_refsource_misc
https://backstage.forgerock.com/knowledge/kb/book/b21824339
Third Party Advisory x_refsource_misc
https://hansesecure.de/vulnerability-in-am/
Scores
CVSS v3
6.5
EPSS
0.0088
EPSS Percentile
54.6%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Details
CWE
CWE-200
Status
published
Products (1)
forgerock/access_management
< 5.5.0
Published
Feb 21, 2018
Tracked Since
Feb 18, 2026