CVE-2018-14655

Published: Nov 13, 2018 Last Modified: Nov 21, 2024 EU-VD ID: EUVD-2022-2302 Aliases: GHSA-458h-wv48-fq75
ExploitDB:
Other exploit source:
Google Dorks:
MEDIUM 4,6
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: low
User Interaction: required
Scope: unchanged
Confidentiality: low
Integrity: low
Availability: none
LOW 3,5
Source: [email protected]
Access Vector: network
Access Complexity: medium
Authentication: single
Confidentiality: none
Integrity: partial
Availability: none

Description

AI Translation Available

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

EPSS (Exploit Prediction Scoring System)

Trend Analysis

EPSS (Exploit Prediction Scoring System)

Prevede la probabilità di sfruttamento basata su intelligence sulle minacce e sulle caratteristiche della vulnerabilità.

EPSS Score
0,0022
Percentile
0,4th
Updated

EPSS Score Trend (Last 90 Days)

79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Stable
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Access Control Confidentiality Integrity Availability
Potential Impacts:
Bypass Protection Mechanism Read Application Data Execute Unauthorized Code Or Commands
Applicable Platforms
Technologies: AI/ML, Web Based, Web Server
Likelihood of Exploit: High
View CWE Details
Application

Single Sign-On by Redhat

Product Information
Vendor Redhat
Product Single Sign-On
Version -
cpe:2.3:a:redhat:single_sign-on:-:*:*:*:text-only:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Keycloak by Redhat

Product Information
Vendor Redhat
Product Keycloak
Version 3.4.3
cpe:2.3:a:redhat:keycloak:3.4.3:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Keycloak by Redhat

Product Information
Vendor Redhat
Product Keycloak
Version 4.3.0
cpe:2.3:a:redhat:keycloak:4.3.0:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Keycloak by Redhat

Product Information
Vendor Redhat
Product Keycloak
Version 4.0.0
cpe:2.3:a:redhat:keycloak:4.0.0:beta2:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
Application

Single Sign-On by Redhat

Product Information
Vendor Redhat
Product Single Sign-On
Version 7.2
cpe:2.3:a:redhat:single_sign-on:7.2:*:*:*:*:*:*:*
Common Platform Enumeration - Standardized vulnerability identification
https://access.redhat.com/errata/RHSA-2018:3592
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3592
https://access.redhat.com/errata/RHSA-2018:3593
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3593
https://access.redhat.com/errata/RHSA-2018:3595
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3595
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655
Issue Tracking Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655
https://access.redhat.com/errata/RHSA-2018:3592
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3592
https://access.redhat.com/errata/RHSA-2018:3593
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3593
https://access.redhat.com/errata/RHSA-2018:3595
Vendor Advisory
https://access.redhat.com/errata/RHSA-2018:3595
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655
Issue Tracking Vendor Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655