25 matches found
Keycloak error_description injection on error pages that can trigger phishing attacks
Keycloak’s account console accepts arbitrary text in the errordescription query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents XSS, an attacker can craft URLs with misleading messages e.g., fake support phone numbers or...
EUVD-2019-0673
Malware in sbrugna...
CVE-2023-6563
An unconstrained memory consumption vulnerability was discovered in Keycloak. It can be triggered in environments which have millions of offline tokens 500,000 users with each having at least 2 saved sessions. If an attacker creates two or more user sessions and then open the "consents" tab of th...
GHSA-C9X9-XV66-XP3V Improper privilege management in Keycloak
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission...
Vulnerability found in Keycloak
A vulnerability has been found in Keycloak. The vulnerability allows a malicious person to use the new-account console to execute to execute arbitrary code. Red Hat reports that the vulnerability in version 13 of Keycloak has been fixed. At Keycloak itself, this information cannot be found found...
CVE-2021-20222
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
PT-2021-13851 · Red Hat · Keycloak
Name of the Vulnerable Software and Affected Versions: keycloak affected versions not specified Description: A flaw was found in the new account console of keycloak, allowing malicious code to be executed using the referrer URL. The highest threat from this issue is to data confidentiality and...
CVE-2021-20222
A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability...
Code injection
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have...
PT-2020-13991 · Red Hat · Keycloak
Name of the Vulnerable Software and Affected Versions: Keycloak versions prior to 12.0.0 Description: A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access...
keycloak: user can manage resources with just "view-profile" role using new Account Console
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission...
keycloak: user can manage resources with just "view-profile" role using new Account Console
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission...
keycloak: user can manage resources with just "view-profile" role using new Account Console
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission...
keycloak: user can manage resources with just "view-profile" role using new Account Console
A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission...
keycloak: CSRF check missing in My Resources functionality in the Account Console
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...
keycloak: CSRF check missing in My Resources functionality in the Account Console
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...
CVE-2019-10199
It was found that Keycloak's account console did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...
Improper Input Validation and Cross-Site Request Forgery in Keycloak
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...
GHSA-P5XP-6VPF-JWVH Improper Input Validation and Cross-Site Request Forgery in Keycloak
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...
CVE-2019-10199
It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain...