cbcvebase.
CVE-2024-25573
published 2025-06-15

CVE-2024-25573: Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.

PriorityP430medium6.9CVSS 4.0
AVNACHATPPRHUIAVCLVIHVANSCLSIHSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSPAUNRUVXREMURed
EPSS
0.32%
24.0th percentile
Unsanitized user-supplied data saved in the PingFederate Administrative Console could trigger the execution of JavaScript code in subsequent user processing.

Affected

4 ranges
VendorProductVersion rangeFixed in
ping_identitypingfederate11.2.0 – 11.2.10
ping_identitypingfederate11.3.0 – 11.3.9
ping_identitypingfederate12.0.0 – 12.0.6
ping_identitypingfederate12.1.0 – 12.1.4
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.