Security Advisories
| # | Title | Date | Severity | Description |
|---|---|---|---|---|
1 |
21 Mar 2019 |
Medium |
MidPoint user interface vulnerable to clickjacking due to missing X-Frame-Options header. |
|
2 |
8 Apr 2019 |
Medium |
MidPoint expressions embedded in midPoint reports can be used to gain unauthorized access to the system. |
|
3 |
17 Apr 2019 |
Medium |
The way how MidPoint handles XML documents is vulnerable to attacks based on XML External Entities (XXE) |
|
4 |
17 Apr 2019 |
High |
LDAP and Active Directory connectors are not properly checking TLS/SSL certificate validity. |
|
5 |
18 Apr 2019 |
Medium |
Any approver can display any workitem by guessing its short identifier. |
|
6 |
13 May 2019 |
Low |
Plaintext password is sometimes left stored in temporary files on a file system. |
|
7 |
23 May 2019 |
Low |
Plaintext passwords are sometimes stored in task objects in the repository (database). |
|
8 |
14 Jun 2019 |
Low |
Cross-site scripting (XSS) vulnerability exists in some parts of midPoint user interface, namely in organization displayName. |
|
9 |
9 Jul 2019 |
Medium |
SOAP-based web service interface of midPoint does not limit authentication attempts. |
|
10 |
30 Jul 2019 |
Medium |
Authorizations not applied properly to the results of "preview changes" functionality. |
|
11 |
30 Aug 2019 |
Medium |
Stored cross-site scripting (XSS) vulnerability exists in midPoint user interface that can be exploited by manipulation of object 'name' property. |
|
12 |
9 Sep 2019 |
Low |
Sessions of users logged-in to midPoint user interface are unaffected by the change of user profiles - until users log in again. |
|
13 |
HTTP error codes used for SecQ REST authentication reveal user existence |
11 Oct 2019 |
Low |
HTTP error codes used for REST authentication based on security questions (a.k.a. SecQ) reveal user existence. |
14 |
2 Mar 2020 |
Informational |
Apache JServ Protocol (AJP) of Apache Tomcat may be vulnerable to several types of attack. |
|
15 |
Disabled Users able to log-in when LDAP authentication is enabled |
5 June 2023 |
Medium |
MidPoint allows log-in for disabled users if LDAP authorization is used. |
16 |
Unauthorized user is able to reset password if focusIdentification is enabled |
5 June 2023 |
High |
MidPoint 4.7 may be vulnerable to password reset attack if new password reset |
17 |
Self Registration feature allows to change password of other users |
5 June 2023 |
High |
MidPoint may be vulnerable to password change attack if self registration or post registration is configured. |
18 |
Less privileged user able to execute custom Groovy scripts via Bulk Tasks |
20 September 2023 |
High |
Non-Administrator users authorized to execute Bulk Actions are able to execute Groovy Scripts if they are able to enter raw XML for bulk actions. |
19 |
20 September 2023 |
High |
Stored cross-site scripting (XSS) vulnerability exists in midPoint user interface that can be exploited by manipulation of object 'displayName' property. |
|
20 |
CSRF protection was not working if user logged using SAML2 or OIDC |
20 September 2023 |
High |
MidPoint may be vulnerable to CSRF attacks if user was authenticated using SAML 2 or OIDC. |
21 |
Not Invited User able to register if Invitation flow is configured |
29 January 2024 |
High |
MidPoint 4.8 may be vulnerable to unauthorized registration if invitation flow is enabled with custom registration form. |
22 |
Some users can execute script code beyond their authorizations |
27 February 2024 |
High |
Users who are authorized to submit raw XML/JSON/YAML object data to midPoint may execute arbitrary scripts. |
23 |
Some users can execute selected operations beyond their authorizations |
27 February 2024 |
High |
Authorized REST users can inject false resource data into midPoint and invoke the import from resources without any further authorizations. |
24 |
27 February 2024 |
Medium |
Hidden panels on details page are accessible by URL manipulation. |