CVE-2018-14655 MEDIUM

CVE-2018-14655

Vendor Red Hat
Product keycloak
Weakness CWE-79 · XSS
Published November 13, 2018
Last update August 5, 2024

CVSS base score

4.6/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

Key dates

02Disclosure timeline

November 13, 2018 CVE published
August 5, 2024 Record updated

Related vulnerabilities

04Related CVE