Description
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Remediation
References
http://www.securityfocus.com/bid/101618
https://access.redhat.com/errata/RHSA-2017:2904
https://access.redhat.com/errata/RHSA-2017:2905
https://access.redhat.com/errata/RHSA-2017:2906
https://bugzilla.redhat.com/show_bug.cgi?id=1489161
Related Vulnerabilities
CVE-2019-1010266 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2022-31129 Vulnerability in maven package org.webjars.bower:moment
CVE-2018-13863 Vulnerability in npm package bson
CVE-2014-7808 Vulnerability in maven package org.apache.wicket:wicket-core
CVE-2017-3161 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs