CVE-2018-14655

Description

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

CVSS breakdown

CVSS 3.0

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Affected products

Red Hat / keycloak3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final – 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final

References

MISChttps://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:3592
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:3593
VENDOR_ADVISORYhttps://access.redhat.com/errata/RHSA-2018:3595