Описание
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Mobile Application Platform 4 | keycloak | Will not fix | ||
| Red Hat Single Sign-On 7.1 | Fixed | RHSA-2017:2906 | 17.10.2017 | |
| Red Hat Single Sign-On 7.1 for RHEL 6 | rh-sso7-keycloak | Fixed | RHSA-2017:2904 | 17.10.2017 |
| Red Hat Single Sign-On 7.1 for RHEL 7 | rh-sso7-keycloak | Fixed | RHSA-2017:2905 | 17.10.2017 |
Показывать по
Дополнительная информация
Статус:
5.4 Medium
CVSS3
Связанные уязвимости
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
It was found that Keycloak would accept a HOST header URL in the admin ...
5.4 Medium
CVSS3