Aggregates CVE and security vulnerability intelligence across all oneidentity-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Disclosed issues often relate to vendor risk buffer overflow and vendor risk csrf; exposure may include vendor impact application crash and vendor impact memory corruption in vendor surface production workloads contexts.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2024-47619 | syslog-ng is an enhanced log daemo. Prior to version 4.8.2, `tls_wildcard_match()` matches on certificates such as `foo.*.bar` although that is not allowed. It is also possible to pass partial wildcards such as `foo.a*c.bar` which glib matches but should be avoided / invalidated. This issue could have an impact on TLS connections, such as in man-in-the-middle situations. Version 4.8.2 contains a fix for the issue. | [email protected] | 7.5 | 0.51% | 2025-05-07 | 2025-09-22 |
| CVE-2023-51772 | One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: wait for a session timeout, click on the Help icon, observe that there is a browser window for the One Identity website, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer w | [email protected] | 8.8 | 0.07% | 2023-12-25 | 2024-11-21 |
| CVE-2023-48654 | One Identity Password Manager before 5.13.1 allows Kiosk Escape. This product enables users to reset their Active Directory passwords on the login screen of a Windows client. It launches a Chromium based browser in Kiosk mode to provide the reset functionality. The escape sequence is: go to the Google ReCAPTCHA section, click on the Privacy link, observe that there is a new browser window, navigate to any website that offers file upload, navigate to cmd.exe from the file explorer window, and lau | [email protected] | 9.8 | 0.36% | 2023-12-25 | 2025-11-04 |
| CVE-2023-4003 | One Identity Password Manager version 5.9.7.1 - An unauthenticated attacker with physical access to a workstation may upgrade privileges to SYSTEM through an unspecified method. CWE-250: Execution with Unnecessary Privileges. | [email protected] | 7.6 | 0.13% | 2023-09-27 | 2024-11-21 |
| CVE-2022-38725 | An integer overflow in the RFC3164 parser in One Identity syslog-ng 3.0 through 3.37 allows remote attackers to cause a Denial of Service via crafted syslog input that is mishandled by the tcp or network function. syslog-ng Premium Edition 7.0.30 and syslog-ng Store Box 6.10.0 are also affected. | [email protected] | 7.5 | 4.92% | 2023-01-23 | 2025-04-03 |
| CVE-2020-7962 | An issue was discovered in One Identity Password Manager 5.8. An attacker could enumerate valid answers for a user. It is possible for an attacker to detect a valid answer based on the HTTP response content, and reuse this answer later for a password reset on a chosen password. The enumeration is possible because, within the HTTP response content, WRONG ID is only returned when the answer is incorrect. | [email protected] | 5.3 | 0.23% | 2020-11-13 | 2024-11-21 |
| CVE-2020-8019 | A UNIX Symbolic Link (Symlink) Following vulnerability in the packaging of syslog-ng of SUSE Linux Enterprise Debuginfo 11-SP3, SUSE Linux Enterprise Debuginfo 11-SP4, SUSE Linux Enterprise Module for Legacy Software 12, SUSE Linux Enterprise Point of Sale 11-SP3, SUSE Linux Enterprise Server 11-SP4-LTSS, SUSE Linux Enterprise Server for SAP 12-SP1; openSUSE Backports SLE-15-SP1, openSUSE Leap 15.1 allowed local attackers controlling the user news to escalate their privileges to root. This issue | [email protected] | 7.7 | 0.15% | 2020-06-29 | 2024-11-21 |
| CVE-2019-13497 | One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows CSRF for logout requests. | [email protected] | 6.5 | 1.24% | 2019-11-04 | 2024-11-21 |
| CVE-2019-13496 | One Identity Cloud Access Manager before 8.1.4 Hotfix 1 allows OTP bypass via vectors involving a man in the middle, the One Identity Defender product, and replacing a failed SAML response with a successful SAML response. | [email protected] | 8.1 | 0.63% | 2019-11-04 | 2024-11-21 |
| CVE-2019-13498 | One Identity Cloud Access Manager 8.1.3 does not use HTTP Strict Transport Security (HSTS), which may allow man-in-the-middle (MITM) attacks. This issue is fixed in version 8.1.4. | [email protected] | 7.4 | 1.17% | 2019-07-29 | 2024-11-21 |
| CVE-2011-1951 | lib/logmatcher.c in Balabit syslog-ng before 3.2.4, when the global flag is set and when using PCRE 8.12 and possibly other versions, allows remote attackers to cause a denial of service (memory consumption) via a message that does not match a regular expression. | [email protected] | 4.3 | 1.55% | 2011-07-11 | 2026-04-29 |
| CVE-2011-0343 | Balabit syslog-ng 2.0, 3.0, 3.1, 3.2 OSE and PE, when running on FreeBSD or HP-UX, does not properly perform cast operations, which causes syslog-ng to use a default value of -1 to create log files with insecure permissions (07777), which allows local users to read and write to these log files. | [email protected] | 6.9 | 0.04% | 2011-01-28 | 2026-04-29 |
| CVE-2008-5110 | syslog-ng does not call chdir when it calls chroot, which might allow attackers to escape the intended jail. NOTE: this is only a vulnerability when a separate vulnerability is present. This flaw affects syslog-ng versions prior to and including 2.0.9. | [email protected] | 9.3 | 1.09% | 2008-11-17 | 2026-04-23 |
| CVE-2002-1200 | Balabit Syslog-NG 1.4.x before 1.4.15, and 1.5.x before 1.5.20, when using template filenames or output, does not properly track the size of a buffer when constant characters are encountered during macro expansion, which allows remote attackers to cause a denial of service and possibly execute arbitrary code. | [email protected] | 7.5 | 6.53% | 2002-10-28 | 2026-04-16 |