Uploaded image for project: 'Keycloak'
  1. Keycloak
  2. KEYCLOAK-5225

Code injection. Reflected XSS

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Critical
    • Resolution: Done
    • Affects Version/s: 3.0.0.Final, 3.2.0.Final
    • Fix Version/s: 3.3.0.Final, 3.4.0.CR1
    • Component/s: None
    • Labels:
      None

      Description

      Was discovered security issue in two versions of the product: 3.0.0.final and the latest one 3.2.0.

      Server injects *Host * field into the JavaScript ефп in response. This can be used for code injection attack, or Reflected XSS attack.
      Below are shown screenshots for 3.0.0.final version, but on the 3.2.0.final version the same issue was discovered:

        Attachments

          Activity

            People

            Assignee:
            stianst Stian Thorgersen
            Reporter:
            m1chael Michael St (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: