Описание
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Ссылки
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Issue Tracking
- Third Party AdvisoryVDB Entry
- Third Party Advisory
- Third Party Advisory
- Third Party Advisory
- Issue Tracking
Уязвимые конфигурации
Конфигурация 1
Одновременно
Одно из
cpe:2.3:a:redhat:single_sign_on:7.0:*:*:*:*:*:*:*
cpe:2.3:a:redhat:single_sign_on:7.1:*:*:*:*:*:*:*
Одно из
cpe:2.3:o:redhat:enterprise_linux_server:6.0:*:*:*:*:*:*:*
cpe:2.3:o:redhat:enterprise_linux_server:7.0:*:*:*:*:*:*:*
Конфигурация 2
cpe:2.3:a:keycloak:keycloak:-:*:*:*:*:*:*:*
EPSS
Процентиль: 71%
0.00668
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-444
CWE-79
Связанные уязвимости
CVSS3: 5.4
redhat
больше 8 лет назад
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
CVSS3: 5.4
debian
больше 8 лет назад
It was found that Keycloak would accept a HOST header URL in the admin ...
EPSS
Процентиль: 71%
0.00668
Низкий
5.4 Medium
CVSS3
3.5 Low
CVSS2
Дефекты
CWE-444
CWE-79