CVE-2015-1638

Name of the Vulnerable Software and Affected Versions Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2

Description The issue is related to the improper handling of logoff actions in Microsoft Active Directory Federation Services (AD FS), allowing remote attackers to bypass intended access restrictions. This can be exploited by leveraging an unattended workstation, potentially leading to information disclosure. An attacker can gain access to a user's information by reopening an application that the user had previously logged out of, without requiring the user's username or password. This vulnerability can be used to obtain data that the user's AD FS account has access to.

Recommendations For Microsoft Active Directory Federation Services (AD FS) 3.0 on Windows Server 2012 R2, consider implementing additional access controls or monitoring to detect and prevent unauthorized access to user information. As a temporary workaround, restrict access to sensitive applications and data until a proper fix is applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.