It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
redhat single_sign_on 7.0 |
||
redhat single_sign_on 7.1 |
||
keycloak keycloak - |