CVE-2017-12158 Vulnerability in maven package org.keycloak:keycloak-server-spi-private

Description

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Remediation

References

http://www.securityfocus.com/bid/101618

https://access.redhat.com/errata/RHSA-2017:2904

https://access.redhat.com/errata/RHSA-2017:2905

https://access.redhat.com/errata/RHSA-2017:2906

https://bugzilla.redhat.com/show_bug.cgi?id=1489161

Related Vulnerabilities

CVE-2019-10776 Vulnerability in npm package git-diff-apply

CVE-2019-19919 Vulnerability in maven package org.webjars.bower:handlebars

CVE-2020-10244 Vulnerability in maven package dev.paseto:jpaseto-impl

CVE-2017-16037 Vulnerability in npm package gomeplus-h5-proxy

CVE-2018-20000 Vulnerability in maven package org.bedework:bw-webdav

Severity

Medium

Classification

CWE-79 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N