CVSS: 4.8EPSS: 0%CPEs: 1EXPL: 0CVE-2020-10776 – keycloak: OIDC redirect_uri allows dangerous schemes resulting in potential XSS
https://notcve.org/view.php?id=CVE-2020-10776
A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. Se encontró un fallo en Keycloak versiones anteriores a 12.0.0, donde es posible agregar esquemas no seguros para el parámetro redirect_uri. Este fallo permite a un atacante llevar a cabo un ataque de tipo Cross-site scripting A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack. • https://bugzilla.redhat.com/show_bug.cgi?id=1847428 https://access.redhat.com/security/cve/CVE-2020-10776 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.1EPSS: 0%CPEs: 1EXPL: 0CVE-2020-14389 – keycloak: user can manage resources with just "view-profile" role using new Account Console
https://notcve.org/view.php?id=CVE-2020-14389
It was found that Keycloak before version 12.0.0 would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have. Se detectó que Keycloak versiones anteriores a 12.0.0, permitiría a un usuario que sólo tuviera una función de perfil de visualización administrar los recursos en la nueva consola de cuentas, permitiendo un acceso y una modificación de unos datos que el usuario no estaba destinado a tener A flaw was found in Keycloak, where it would permit a user with a view-profile role to manage the resources in the new account console. This flaw allows a user with a view-profile role to access and modify data for which the user does not have adequate permission. • https://access.redhat.com/security/cve/cve-2020-14389 https://bugzilla.redhat.com/show_bug.cgi?id=1875843%2C https://access.redhat.com/security/cve/CVE-2020-14389 https://bugzilla.redhat.com/show_bug.cgi?id=1875843 • CWE-916: Use of Password Hash With Insufficient Computational Effort •