CVE-2017-12158

Summary

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Affected Software

VendorProductVersion RangeStatus
Red Hat, Inc.keycloak3.4.0affected

Weaknesses

  • CWE-444: CWE-444

ADP Enrichment

CVE Program Container

Additional References

References