NuytsTech Security

CVE-2017-12158

by ·

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Date published : 2017-10-26

http://www.securityfocus.com/bid/101618

https://bugzilla.redhat.com/show_bug.cgi?id=1489161

Tags: