CVSS: 5.5EPSS: 1%CPEs: 47EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.8EPSS: 0%CPEs: 12EXPL: 0CVE-2025-23367 – Org.wildfly.core:wildfly-server: wildfly improper rbac permission
https://notcve.org/view.php?id=CVE-2025-23367
30 Jan 2025 — A flaw was found in the Wildfly Server Role Based Access Control (RBAC) provider. When authorization to control management operations is secured using the Role Based Access Control provider, a user without the required privileges can suspend or resume the server. A user with a Monitor or Auditor role is supposed to have only read access permissions and should not be able to suspend the server. The vulnerability is caused by the Suspend and Resume handlers not performing authorization checks to validate whet... • https://access.redhat.com/security/cve/CVE-2025-23367 • CWE-284: Improper Access Control •
CVSS: 5.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-0604 – Keycloak-ldap-federation: authentication bypass due to missing ldap bind after password reset in keycloak
https://notcve.org/view.php?id=CVE-2025-0604
22 Jan 2025 — A flaw was found in Keycloak. When an Active Directory user resets their password, the system updates it without performing an LDAP bind to validate the new credentials against AD. This vulnerability allows users whose AD accounts are expired or disabled to regain access in Keycloak, bypassing AD restrictions. The issue enables authentication bypass and could allow unauthorized access under certain conditions. New images are available for Red Hat build of Keycloak 26.0.10 and Red Hat build of Keycloak 26.0.... • https://access.redhat.com/security/cve/CVE-2025-0604 • CWE-287: Improper Authentication •
CVSS: 6.8EPSS: 0%CPEs: 5EXPL: 0CVE-2024-10270 – Org.keycloak:keycloak-services: keycloak denial of service
https://notcve.org/view.php?id=CVE-2024-10270
25 Nov 2024 — A vulnerability was found in the Keycloak-services package. If untrusted data is passed to the SearchQueryUtils method, it could lead to a denial of service (DoS) scenario by exhausting system resources due to a Regex complexity. • https://access.redhat.com/errata/RHSA-2024:10175 • CWE-1333: Inefficient Regular Expression Complexity •
CVSS: 7.8EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2232 – Keycloak: ldap injection on username input
https://notcve.org/view.php?id=CVE-2022-2232
14 Nov 2024 — A flaw was found in the Keycloak package. This flaw allows an attacker to utilize an LDAP injection to bypass the username lookup or potentially perform other malicious actions. • https://access.redhat.com/errata/RHSA-2024:0094 • CWE-20: Improper Input Validation •
CVSS: 6.4EPSS: 0%CPEs: 32EXPL: 0CVE-2023-1932 – Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss
https://notcve.org/view.php?id=CVE-2023-1932
07 Nov 2024 — A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks. Se encontró una falla en el método 'isValid' de hibernate-validator en la clase org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator, que se puede evitar omitiendo la ... • https://access.redhat.com/security/cve/CVE-2023-1932 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.7EPSS: 0%CPEs: 7EXPL: 0CVE-2024-10234 – Wildfly: wildfly vulnerable to cross-site scripting (xss)
https://notcve.org/view.php?id=CVE-2024-10234
22 Oct 2024 — A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server. A security update is now available for Red Hat JBoss Enterprise Application Platform 7.4 for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability scoring Syst... • https://access.redhat.com/security/cve/CVE-2024-10234 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.5EPSS: 89%CPEs: 4EXPL: 1CVE-2024-3656 – Keycloak: unguarded admin rest api endpoints allows low privilege users to use administrative functionalities
https://notcve.org/view.php?id=CVE-2024-3656
09 Oct 2024 — A flaw was found in Keycloak. Certain endpoints in Keycloak's admin REST API allow low-privilege users to access administrative functionalities. This flaw allows users to perform actions reserved for administrators, potentially leading to data breaches or system compromise. • https://github.com/h4x0r-dz/CVE-2024-3656 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 6.8EPSS: 6%CPEs: 11EXPL: 0CVE-2024-8883 – Keycloak: vulnerable redirect uri validation results in open redirec
https://notcve.org/view.php?id=CVE-2024-8883
19 Sep 2024 — A misconfiguration flaw was found in Keycloak. This issue can allow an attacker to redirect users to an arbitrary URL if a 'Valid Redirect URI' is set to http://localhost or http://127.0.0.1, enabling sensitive information such as authorization codes to be exposed to the attacker, potentially leading to session hijacking. A security update is now available for Red Hat JBoss Enterprise Application Platform 8.0. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common V... • https://access.redhat.com/security/cve/CVE-2024-8883 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 7.7EPSS: 81%CPEs: 6EXPL: 1CVE-2024-8698 – Keycloak-saml-core: improper verification of saml responses leading to privilege escalation in keycloak
https://notcve.org/view.php?id=CVE-2024-8698
19 Sep 2024 — A flaw exists in the SAML signature validation method within the Keycloak XMLSignatureUtil class. The method incorrectly determines whether a SAML signature is for the full document or only for specific assertions based on the position of the signature in the XML document, rather than the Reference element used to specify the signed element. This flaw allows attackers to create crafted responses that can bypass the validation, potentially leading to privilege escalation or impersonation attacks. New images ... • https://github.com/huydoppaz/CVE-2024-8698-POC • CWE-347: Improper Verification of Cryptographic Signature •