What the vulnerability does

01Description

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

Key dates

02Disclosure timeline

October 26, 2017 CVE published
September 16, 2024 Record updated