CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-1744 – keycloak: failedLogin Event not sent to BruteForceProtector when using Post Login Flow with Conditional-OTP
https://notcve.org/view.php?id=CVE-2020-1744
24 Mar 2020 — A flaw was found in keycloak before version 9.0.1. When configuring an Conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle this events. Se descubrió un fallo en keycloak versiones anteriores a la versión 9.0.1. Cuando se configura un Conditional OTP Authentication Flow como un flujo posterior al inicio de sesión de un IDP, los eventos de inicio de sesión falli... • https://access.redhat.com/security/cve/CVE-2020-1744 • CWE-755: Improper Handling of Exceptional Conditions •
CVSS: 6.1EPSS: 0%CPEs: 2EXPL: 0CVE-2020-1697 – keycloak: stored XSS in client settings via application links
https://notcve.org/view.php?id=CVE-2020-1697
10 Feb 2020 — It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks. Se encontró en todas las versiones de keycloak anteriores a 9.0.0 que los enlaces de aplicaciones externas (Application Links) en la consola de administración no están validados apropiadamente y podrían permi... • https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •