Lucene search
K
Database
Vendors
Products
Timeline
Vulnerabilities
Perimeter Scanner
Scanning
Projects
Scanner
Agent Scanning
API Scanning
Manual Audit
Email
Webhook
Resources
Documents
Blog
Glossary
FAQ
Plugins
Pricing
Contacts
About Us
Partners
Branding Guideline
Settings
Sign in
KeycloakKeycloak*

9 matches found

CVE
CVEadded 2020/12/15 8:15 p.m.225 views

CVE-2020-10770

A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack.

5.3CVSS4.9AI score0.92282EPSS
In wildWeb
CVE
CVEadded 2020/11/17 2:15 a.m.144 views

CVE-2020-14389

It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.

8.1CVSS7.7AI score0.00148EPSS
CVE
CVEadded 2020/11/17 2:15 a.m.128 views

CVE-2020-10776

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

4.8CVSS4.6AI score0.00271EPSS
CVE
CVEadded 2020/01/08 3:15 p.m.125 views

CVE-2019-14820

It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.

4.3CVSS4.4AI score0.0031EPSS
CVE
CVEadded 2020/09/16 6:15 p.m.118 views

CVE-2020-10748

A flaw was found in Keycloak's data filter, in version 10.0.1, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.

6.1CVSS5.3AI score0.00391EPSS
CVE
CVEadded 2020/09/16 4:15 p.m.107 views

CVE-2020-10758

A vulnerability was found in Keycloak before 11.0.1 where DoS attack is possible by sending twenty requests simultaneously to the specified keycloak server, all with a Content-Length header value that exceeds the actual byte count of the request body.

7.5CVSS7.2AI score0.00529EPSS
CVE
CVEadded 2020/09/16 7:15 p.m.98 views

CVE-2020-1694

A flaw was found in all versions of Keycloak before 10.0.0, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information outside of their permissions.

4.9CVSS4.6AI score0.00275EPSS
CVE
CVEadded 2020/12/15 8:15 p.m.83 views

CVE-2020-14302

A flaw was found in Keycloak before 13.0.0 where an external identity provider, after successful authentication, redirects to a Keycloak endpoint that accepts multiple invocations with the use of the same "state" parameter. This flaw allows a malicious user to perform replay attacks.

4.9CVSS5AI score0.00154EPSS
CVE
CVEadded 2020/05/04 9:15 p.m.58 views

CVE-2020-10686

A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.

6.5CVSS4.6AI score0.00238EPSS