Описание
JBoss KeyCloak: XSS in login-status-iframe.html
If a JBoss Keycloak application was configured to use '*' as a permitted web origin in the Keycloak administrative console, crafted requests to the login-status-iframe.html endpoint could inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-site scripting (XSS) vulnerability.
Отчет
This issue does not affect any supported Red Hat products.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat JBoss Enterprise Web Server 1 | mobile | Not affected |
Показывать по
10
Дополнительная информация
Статус:
Low
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=1144994KeyCloak: XSS in login status iframe
4.3 Medium
CVSS2
Связанные уязвимости
CVSS3: 6.1
github
больше 3 лет назад
JBoss KeyCloak Cross-site Scripting Vulnerability
4.3 Medium
CVSS2