MEDIUM 5.4 Maven
Keycloak vulnerable to cross-site scripting via the state parameter
GHSA-458h-wv48-fq75 · CVE-2018-14655
Published · Modified
Description
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using response_mode=form_post it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2018-14655
- WEB https://access.redhat.com/errata/RHSA-2018:3592
- WEB https://access.redhat.com/errata/RHSA-2018:3593
- WEB https://access.redhat.com/errata/RHSA-2018:3595
- WEB https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655
- PACKAGE https://github.com/keycloak/keycloak
Ready to move
Start Securing
Free, no credit card | First findings in minutes