It was found that keycloak prior to 3.4.2 final would permit misuse of a client-side /etc/hosts entry to spoof a URL in a password reset request. An attacker could use this flaw to craft a malicious password reset request and gain a valid reset token, leading to information disclosure or further attacks.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
keycloak keycloak |