AM 5.0.0, 5.1.0
- 15.12.2017 Vendor informed
- X.01.2018 Vendor patched flaw
- 24.01.2018 Vendor released Security Advisory
The AM from Forgerock is vulnerable to unauthorized access. The TokenIDs are sended via HTTP-GET requests, which are stored at several places like proxy-logs, local browser history and the like. This could be abused by malicious administrators.