CVE-2017-12158
MEDIUM5.4EPSS 0.67%Keycloak Reflected XSS
發布日:2022/5/13修改日:2026/2/4
描述
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
受影響套件(1)
- Maven/org.keycloak:keycloak-parentfrom 0, < 3.4.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
參考連結(6)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-12158
- WEBhttps://access.redhat.com/errata/RHSA-2017:2904
- WEBhttps://access.redhat.com/errata/RHSA-2017:2905
- WEBhttps://access.redhat.com/errata/RHSA-2017:2906
- WEBhttps://bugzilla.redhat.com/show_bug.cgi?id=1489161
- WEBhttps://web.archive.org/web/20210124114020/http://www.securityfocus.com/bid/101618