Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2023-6717

Опубликовано: 16 апр. 2024
Источник: redhat
CVSS3: 6
EPSS Низкий

Описание

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Migration Toolkit for Applications 6mta/mta-ui-rhel9Will not fix
Migration Toolkit for Applications 7mta/mta-ui-rhel9Not affected
Red Hat build of Apicurio Registry 2keycloakAffected
Red Hat build of Quarkusorg.keycloak/keycloak-coreNot affected
Red Hat Data Grid 8keycloakWill not fix
Red Hat Decision Manager 7keycloakFix deferred
Red Hat Developer Hubrhdh/rhdh-hub-rhel9Not affected
Red Hat Fuse 7keycloakWill not fix
Red Hat JBoss Data Grid 7keycloakWill not fix
Red Hat JBoss Enterprise Application Platform 6keycloakOut of support scope

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Moderate
Дефект:
CWE-79
https://bugzilla.redhat.com/show_bug.cgi?id=2253952keycloak: XSS via assertion consumer service URL in SAML POST-binding flow

EPSS

Процентиль: 25%
0.00088
Низкий

6 Medium

CVSS3

Связанные уязвимости

nvd логотип

CVE-2023-6717

CVSS3: 6
nvd
почти 2 года назад

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

debian логотип

CVE-2023-6717

CVSS3: 6
debian
почти 2 года назад

A flaw was found in the SAML client registration in Keycloak that coul ...

github логотип

GHSA-8rmm-gm28-pj8q

CVSS3: 6
github
почти 2 года назад

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

fstec логотип

BDU:2024-05694

CVSS3: 6
fstec
почти 2 года назад

Уязвимость модуля единого входа в приложения (SAML) программного средства для управления идентификацией и доступом Keycloak, позволяющая нарушителю провести атаку межсайтового скриптинга (XSS)

EPSS

Процентиль: 25%
0.00088
Низкий

6 Medium

CVSS3