Reflected Cross-site Scripting (XSS)

Keycloak services is vulnerable to reflected cross-site scripting XSS attacks. These attacks are possible because keycloak would accept a HOST header URL within the admin console when determining the web resource location...

CVE-2017-12158

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server...