GHSA-4FG7-F244-3J49 HAX open-apis: Credential Theft via Server-Side Request Forgery (SSRF) in open-apis

Summary Multiple functions conduct substring-only matching to validate hostnames to which basic authorization should be sent. An attacker can append the matched substrings to an attacker-controlled endpoint and capture authentication. Details api/services/website/cacheAddress.js,...

CVE-2019-14837

A flaw was found in Keycloak. The use of an open hard-coded domain can allow an unauthorized login by setting up a mail server and resetting the user credentials, enabling information disclosure. Mitigation It is not a very straight forward workaround but it is possible to mitigate this by manual...