CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-0225 – keycloak: Stored XSS in groups dropdown
https://notcve.org/view.php?id=CVE-2022-0225
A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. Se ha encontrado un fallo en Keycloak. Este fallo permite a un atacante privilegiado usar la carga útil maliciosa como nombre del grupo mientras es creado un nuevo grupo desde la consola de administración, conllevando a un ataque de tipo Cross-site scripting (XSS) almacenado. • https://bugzilla.redhat.com/show_bug.cgi?id=2040268 https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m https://access.redhat.com/security/cve/CVE-2022-0225 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 0%CPEs: 2EXPL: 1CVE-2021-3754
https://notcve.org/view.php?id=CVE-2021-3754
A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. Se ha encontrado un fallo en keycloak por el que un atacante puede registrarse con el mismo nombre de usuario que el ID de correo electrónico de cualquier usuario existente. Esto puede causar problemas a la hora de recibir el correo electrónico de recuperación de la contraseña en caso de que el usuario la olvide. • https://github.com/7Ragnarok7/CVE-2021-3754 https://access.redhat.com/security/cve/CVE-2021-3754 https://bugzilla.redhat.com/show_bug.cgi?id=1999196 • CWE-20: Improper Input Validation •
CVSS: 7.2EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2668 – keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console
https://notcve.org/view.php?id=CVE-2022-2668
An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled Se ha detectado un problema en Keycloak que permite cargar Javascript arbitrario para el mapeador del protocolo SAML incluso si la función UPLOAD_SCRIPTS está deshabilitada A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. • https://access.redhat.com/security/cve/CVE-2022-2668 https://bugzilla.redhat.com/show_bug.cgi?id=2115392 • CWE-440: Expected Behavior Violation •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2256 – Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2256
A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. Se ha encontrado una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en keycloak tal y como es suministrado en Red Hat Single Sign-On versión 7. Este fallo permite a un atacante privilegiado ejecutar scripts maliciosos en la consola de administración, abusando de la funcionalidad de los roles por defecto A Stored Cross-site scripting (XSS) vulnerability was found in keycloak. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. • https://bugzilla.redhat.com/show_bug.cgi?id=2101942 https://github.com/keycloak/keycloak/security/advisories/GHSA-w9mf-83w3-fv49 https://access.redhat.com/security/cve/CVE-2022-2256 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.5EPSS: 0%CPEs: 15EXPL: 0CVE-2022-1319 – undertow: Double AJP response for 400 from EAP 7 results in CPING failures
https://notcve.org/view.php?id=CVE-2022-1319
A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG. Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 envía inapropiadamente el flag de reúso habilitado aunque JBoss EAP cierra la conexión. es producido un fallo cuando la conexión es reusada después de un 400 por CPING ya que lee en el segundo paquete de respuesta SEND_HEADERS en lugar de un CPONG • https://access.redhat.com/security/cve/CVE-2022-1319 https://bugzilla.redhat.com/show_bug.cgi?id=2073890 https://github.com/undertow-io/undertow/commit/1443a1a2bbb8e32e56788109d8285db250d55c8b https://github.com/undertow-io/undertow/commit/7c5b3ab885b5638fd3f1e8a935d5063d68aa2df3 https://issues.redhat.com/browse/UNDERTOW-2060 https://security.netapp.com/advisory/ntap-20221014-0006 • CWE-252: Unchecked Return Value •