CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1697 – keycloak: stored XSS in client settings via application links
https://notcve.org/view.php?id=CVE-2020-1697
10 Feb 2020 — It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. Se encontró en todas las versiones de keycloak anteriores a 9.0.0 que los enlaces de aplicaciones externas (Application Links) en la consola de administración no están validados apropiadamente y podrían permi... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.1EPSS: 0%CPEs: 1EXPL: 0CVE-2014-3652
https://notcve.org/view.php?id=CVE-2014-3652
15 Dec 2019 — JBoss KeyCloak: Open redirect vulnerability via failure to validate the redirect URL. JBoss KeyCloak: una vulnerabilidad de redireccionamiento abierto por falta de comprobación de la URL de redireccionamiento. • https://access.redhat.com/security/cve/cve-2014-3652 • CWE-601: URL Redirection to Untrusted Site ('Open Redirect') •
CVSS: 9.8EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14910
https://notcve.org/view.php?id=CVE-2019-14910
05 Dec 2019 — A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of SSL/TLS from the LDAP server (ldaps), in this case user authentication succeeds even if invalid password has entered. Se encontró una vulnerabilidad en keycloak versiones 7.x, cuando keycloak es configurado con LDAP user federation y StartTLS es usado en lugar de SSL/TLS desde el servidor LDAP (ldaps), en este caso la autenticación del usuario tiene éxito inclusive si una contrase... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14910 • CWE-287: Improper Authentication CWE-295: Improper Certificate Validation CWE-305: Authentication Bypass by Primary Weakness CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 9.3EPSS: 0%CPEs: 2EXPL: 0CVE-2019-14909
https://notcve.org/view.php?id=CVE-2019-14909
04 Dec 2019 — A vulnerability was found in Keycloak 7.x where the user federation LDAP bind type is none (LDAP anonymous bind), any password, invalid or valid will be accepted. Se encontró una vulnerabilidad en Keycloak versiones 7.x donde un tipo de enlace de user federation LDAP es none (enlace anónimo LDAP), y será aceptada cualquier contraseña, no válida o válida. • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14909 • CWE-287: Improper Authentication CWE-305: Authentication Bypass by Primary Weakness CWE-592: DEPRECATED: Authentication Bypass Issues •
CVSS: 9.1EPSS: 0%CPEs: 2EXPL: 1CVE-2019-14837 – keycloak: keycloak uses hardcoded open dummy domain for new accounts enabling information disclosure
https://notcve.org/view.php?id=CVE-2019-14837
02 Dec 2019 — A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail server on this domain and knowing only name of a client can reset password and then log in. For example, for client name 'test' the email address will be 'service-account-test@placeholder.org'. Se encontró un fallo en keycloack versiones anteriores a la versión 8.0.0. El propietario del dominio "placeholder.org" puede configurar el servidor de correo sobre este dominio y conociendo solo el nombre de un c... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14837 • CWE-547: Use of Hard-coded, Security-relevant Constants CWE-798: Use of Hard-coded Credentials •
CVSS: 4.3EPSS: 0%CPEs: 2EXPL: 0CVE-2014-3655
https://notcve.org/view.php?id=CVE-2014-3655
13 Nov 2019 — JBoss KeyCloak is vulnerable to soft token deletion via CSRF JBoss KeyCloak es vulnerable a la eliminación del token soft por medio de CSRF • https://access.redhat.com/security/cve/cve-2014-3655 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 4.3EPSS: 0%CPEs: 5EXPL: 0CVE-2019-14820 – keycloak: adapter endpoints are exposed via arbitrary URLs
https://notcve.org/view.php?id=CVE-2019-14820
14 Oct 2019 — It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information. Se descubrió que keycloak versiones anteriores la versión 8.0.0, expone los endpoints del adaptador interno en org.keycloak.constants.AdapterConstants, que pueden ser invocadas por medio de una URL especialmente diseñada. Esta vulnerabilidad podría permiti... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14820 • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2019-14832 – keycloak: cross-realm user access auth bypass
https://notcve.org/view.php?id=CVE-2019-14832
14 Oct 2019 — A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. An authenticated attacker with knowledge of a user id could use this flaw to access unauthorized information or to carry out further attacks. Se encontró un fallo en la API REST de Keycloak anterior a la versión 8.0.0, donde se permitiría el acceso del usuario desde un dominio en el que el usuario no fue configurado. Un atacante autenticado con conocimiento de un id de u... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14832 • CWE-863: Incorrect Authorization •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2019-10199 – keycloak: CSRF check missing in My Resources functionality in the Account Console
https://notcve.org/view.php?id=CVE-2019-10199
14 Aug 2019 — It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. An attacker could use this flaw to trick an authenticated user into performing operations via request from an untrusted domain. Se detectó que la consola de cuenta de Keycloak, versiones hasta 6.0.1, no realizaba comprobaciones de encabezado adecuadas en algunas peticiones. Un atacante podría usar este fallo para engañar a un usuario autenticado para que realice operaciones por medio de una pe... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-10199 • CWE-352: Cross-Site Request Forgery (CSRF) •
CVSS: 8.1EPSS: 0%CPEs: 3EXPL: 0CVE-2019-10201 – keycloak: SAML broker does not check existence of signature on document allowing any user impersonation
https://notcve.org/view.php?id=CVE-2019-10201
14 Aug 2019 — It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. If an attacker modifies the SAML Response and removes the