Page 2 of 74 results (0.018 seconds)

CVSS: 7.6EPSS: 0%CPEs: 13EXPL: 0

CVE-2022-1274 – keycloak: HTML injection in execute-actions-email Admin REST API

https://notcve.org/view.php?id=CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. • https://bugzilla.redhat.com/show_bug.cgi?id=2073157 https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725 https://herolab.usd.de/security-advisories/usd-2021-0033 https://access.redhat.com/security/cve/CVE-2022-1274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 9.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3782 – keycloak: path traversal via double URL encoding

https://notcve.org/view.php?id=CVE-2022-3782

keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly validate URLs included in a redirect. An attacker can use this flaw to construct a malicious request to bypass validation and access other URLs and potentially sensitive information within the domain or possibly conduct further attacks. This flaw affects any client that utilizes a wildcard in the Valid Redirect URIs field. Keycloack: Path Traversal mediante codificación de URL doble. • https://access.redhat.com/security/cve/CVE-2022-3782 https://bugzilla.redhat.com/show_bug.cgi?id=2138971 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') •

CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0

CVE-2022-3916 – Keycloak: session takeover with oidc offline refreshtokens

https://notcve.org/view.php?id=CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. • https://access.redhat.com/errata/RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1047 https://access.redhat.com/errata/RHSA • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •

CVSS: 4.3EPSS: 0%CPEs: 1EXPL: 0

CVE-2021-3856

https://notcve.org/view.php?id=CVE-2021-3856

ClassLoaderTheme and ClasspathThemeResourceProviderFactory allows reading any file available as a resource to the classloader. By sending requests for theme resources with a relative path from an external HTTP client, the client will receive the content of random files if available. ClassLoaderTheme y ClasspathThemeResourceProviderFactory permiten leer cualquier archivo disponible como recurso para el cargador de clases. Al enviar peticiones de recursos de temas con una ruta relativa desde un cliente HTTP externo, el cliente recibirá el contenido de archivos aleatorios si están disponibles. • https://access.redhat.com/security/cve/CVE-2021-3856 https://bugzilla.redhat.com/show_bug.cgi?id=2010164 https://github.com/keycloak/keycloak/commit/73f0474008e1bebd0733e62a22aceda9e5de6743 https://github.com/keycloak/keycloak/pull/8588 https://issues.redhat.com/browse/KEYCLOAK-19422 • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-552: Files or Directories Accessible to External Parties •

CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0

CVE-2022-2668 – keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console

https://notcve.org/view.php?id=CVE-2022-2668

An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled Se ha detectado un problema en Keycloak que permite cargar Javascript arbitrario para el mapeador del protocolo SAML incluso si la función UPLOAD_SCRIPTS está deshabilitada A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. • https://access.redhat.com/security/cve/CVE-2022-2668 https://bugzilla.redhat.com/show_bug.cgi?id=2115392 • CWE-440: Expected Behavior Violation •