Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2023-6717

Опубликовано: 25 апр. 2024
Источник: debian
EPSS Низкий

Описание

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
keycloakitppackage

EPSS

Процентиль: 25%
0.00088
Низкий

Связанные уязвимости

redhat логотип

CVE-2023-6717

CVSS3: 6
redhat
почти 2 года назад

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

nvd логотип

CVE-2023-6717

CVSS3: 6
nvd
почти 2 года назад

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

github логотип

GHSA-8rmm-gm28-pj8q

CVSS3: 6
github
почти 2 года назад

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

fstec логотип

BDU:2024-05694

CVSS3: 6
fstec
почти 2 года назад

Уязвимость модуля единого входа в приложения (SAML) программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

EPSS

Процентиль: 25%
0.00088
Низкий