CVE-2018-14655 — Cross-site Scripting in RED HAT Keycloak

CWE-79 — Cross-site Scripting6 documents6 sources

Severity

5.4MEDIUMNVD

CNA4.6

EPSS

0.2%

top 55.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

RED HAT Keycloak Redhat Keycloak Redhat Single Sign-on

Timeline

PublishedNov 13

Latest updateMay 13

Description

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

▶NVDredhat/keycloak3.4.3, 4.0.0, 4.3.0+2

▶CVEListV5red_hat/keycloak3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final

▶NVDredhat/single_sign-on7.2

🔴Vulnerability Details

OSV

Keycloak vulnerable to cross-site scripting via the state parameter↗2022-05-13

▶

GHSA

Keycloak vulnerable to cross-site scripting via the state parameter↗2022-05-13

▶

CVEList

CVE-2018-14655: A flaw was found in Keycloak 3↗2018-11-13

▶

📋Vendor Advisories

Red Hat

keycloak: XSS-Vulnerability with response_mode=form_post↗2018-11-13

▶

💬Community

Bugzilla

CVE-2018-14655 keycloak: XSS-Vulnerability with response_mode=form_post↗2018-09-04

▶