CVE-2017-12158
published 2017-10-26CVE-2017-12158: It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw…
medium5.4CVSS 3.0
AVNACLPRLUIRSCCLILAN
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| red_hat_inc | keycloak | — | — |
| redhat | single_sign_on | — | — |
| redhat | single_sign_on | — | — |