← back
CVE-2017-12158

CVE-2017-12158

EPSS 1.0%CWE-444
It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.
Affected products
Red Hat, Inc. · keycloak

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://access.redhat.com/errata/RHSA-2017:2904https://access.redhat.com/errata/RHSA-2017:2905https://access.redhat.com/errata/RHSA-2017:2906https://bugzilla.redhat.com/show_bug.cgi?id=1489161http://www.securityfocus.com/bid/101618