Page 3 of 23 results (0.440 seconds)

CVSS: 7.6EPSS: 0%CPEs: 13EXPL: 0

CVE-2022-1274 – keycloak: HTML injection in execute-actions-email Admin REST API

https://notcve.org/view.php?id=CVE-2022-1274

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. • https://bugzilla.redhat.com/show_bug.cgi?id=2073157 https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725 https://herolab.usd.de/security-advisories/usd-2021-0033 https://access.redhat.com/security/cve/CVE-2022-1274 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) •

CVSS: 6.8EPSS: 0%CPEs: 15EXPL: 0

CVE-2022-3916 – Keycloak: session takeover with oidc offline refreshtokens

https://notcve.org/view.php?id=CVE-2022-3916

A flaw was found in the offline_access scope in Keycloak. This issue would affect users of shared computers more (especially if cookies are not cleared), due to a lack of root session validation, and the reuse of session ids across root and user authentication sessions. This enables an attacker to resolve a user session attached to a previously authenticated user; when utilizing the refresh token, they will be issued a token for the original user. Se encontró una falla en el alcance offline_access en Keycloak. Este problema afectaría más a los usuarios de ordenadores compartidos (especialmente si las cookies no se borran), debido a la falta de validación de la sesión root y a la reutilización de los identificadores de sesión en las sesiones de autenticación de usuario y root. • https://access.redhat.com/errata/RHSA-2022:8961 https://access.redhat.com/errata/RHSA-2022:8962 https://access.redhat.com/errata/RHSA-2022:8963 https://access.redhat.com/errata/RHSA-2022:8964 https://access.redhat.com/errata/RHSA-2022:8965 https://access.redhat.com/errata/RHSA-2023:1043 https://access.redhat.com/errata/RHSA-2023:1044 https://access.redhat.com/errata/RHSA-2023:1045 https://access.redhat.com/errata/RHSA-2023:1047 https://access.redhat.com/errata/RHSA • CWE-384: Session Fixation CWE-613: Insufficient Session Expiration •

CVSS: 7.4EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3259 – OpenShift: Missing HTTP Strict Transport Security

https://notcve.org/view.php?id=CVE-2022-3259

Openshift 4.9 does not use HTTP Strict Transport Security (HSTS) which may allow man-in-the-middle (MITM) attacks. Openshift 4.9 no utiliza HTTP Strict Transport Security (HSTS), que puede permitir ataques de intermediario (MITM). • https://bugzilla.redhat.com/show_bug.cgi?id=2103220 https://access.redhat.com/security/cve/CVE-2022-3259 • CWE-665: Improper Initialization •

CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 1

CVE-2022-3260

https://notcve.org/view.php?id=CVE-2022-3260

The response header has not enabled X-FRAME-OPTIONS, Which helps prevents against Clickjacking attack.. Some browsers would interpret these results incorrectly, allowing clickjacking attacks. El encabezado de respuesta no ha habilitado X-FRAME-OPTIONS, lo que ayuda a prevenir ataques de Clickjacking. Algunos navegadores interpretarían estos resultados incorrectamente, permitiendo ataques de clickjacking. • https://bugzilla.redhat.com/show_bug.cgi?id=2106780 • CWE-1021: Improper Restriction of Rendered UI Layers or Frames •

CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0

CVE-2022-3262

https://notcve.org/view.php?id=CVE-2022-3262

A flaw was found in Openshift. A pod with a DNSPolicy of "ClusterFirst" may incorrectly resolve the hostname based on a service provided. This flaw allows an attacker to supply an incorrect name with the DNS search policy, affecting confidentiality and availability. Se encontró un fallo en Openshift. Un pod con una política DNS de "ClusterFirst" puede resolver incorrectamente el nombre de host según un servicio proporcionado. • https://bugzilla.redhat.com/show_bug.cgi?id=2128858 • CWE-453: Insecure Default Variable Initialization CWE-1188: Initialization of a Resource with an Insecure Default •