CVE-2024-25573

MEDIUM

PingFederate 12.1.0-12.1.3, 12.0.0-12.0.5, 11.3.0-11.3.8, 11.2.0-11.2.9 Stored XSS in Admin Console

Title source: llm
STIX 2.1

Description

Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.

Scores

CVSS v4 6.9
EPSS 0.0032
EPSS Percentile 24.2%
CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:L/VI:H/VA:N/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:X/RE:M/U:Red

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

CWE
CWE-79
Status published
Products (4)
Ping Identity/PingFederate 11.2.0 - 11.2.10
Ping Identity/PingFederate 11.3.0 - 11.3.9
Ping Identity/PingFederate 12.0.0 - 12.0.6
Ping Identity/PingFederate 12.1.0 - 12.1.4
Published Jun 15, 2025
Tracked Since Feb 18, 2026