CVSS: 5.7EPSS: 0%CPEs: 2EXPL: 1CVE-2022-0225 – keycloak: Stored XSS in groups dropdown
https://notcve.org/view.php?id=CVE-2022-0225
26 Aug 2022 — A flaw was found in Keycloak. This flaw allows a privileged attacker to use the malicious payload as the group name while creating a new group from the admin console, leading to a stored Cross-site scripting (XSS) attack. Se ha encontrado un fallo en Keycloak. Este fallo permite a un atacante privilegiado usar la carga útil maliciosa como nombre del grupo mientras es creado un nuevo grupo desde la consola de administración, conllevando a un ataque de tipo Cross-site scripting (XSS) almacenado. Red Hat Singl... • https://bugzilla.redhat.com/show_bug.cgi?id=2040268 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 5.3EPSS: 4%CPEs: 2EXPL: 1CVE-2021-3754
https://notcve.org/view.php?id=CVE-2021-3754
26 Aug 2022 — A flaw was found in keycloak where an attacker is able to register himself with the username same as the email ID of any existing user. This may cause trouble in getting password recovery email in case the user forgets the password. Se ha encontrado un fallo en keycloak por el que un atacante puede registrarse con el mismo nombre de usuario que el ID de correo electrónico de cualquier usuario existente. Esto puede causar problemas a la hora de recibir el correo electrónico de recuperación de la contraseña e... • https://github.com/7Ragnarok7/CVE-2021-3754 • CWE-20: Improper Input Validation •
CVSS: 8.3EPSS: 0%CPEs: 2EXPL: 0CVE-2022-2668 – keycloak: Uploading of SAML javascript protocol mapper scripts through the admin console
https://notcve.org/view.php?id=CVE-2022-2668
05 Aug 2022 — An issue was discovered in Keycloak that allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled Se ha detectado un problema en Keycloak que permite cargar Javascript arbitrario para el mapeador del protocolo SAML incluso si la función UPLOAD_SCRIPTS está deshabilitada A flaw was found in keycloak. The vulnerability allows arbitrary Javascript to be uploaded for the SAML protocol mapper even if the UPLOAD_SCRIPTS feature is disabled. Red Hat Sin... • https://access.redhat.com/security/cve/CVE-2022-2668 • CWE-440: Expected Behavior Violation •
CVSS: 7.8EPSS: 0%CPEs: 14EXPL: 0CVE-2022-1259 – undertow: potential security issue in flow control over HTTP/2 may lead to DOS(incomplete fix for CVE-2021-3629)
https://notcve.org/view.php?id=CVE-2022-1259
27 Jul 2022 — A flaw was found in Undertow. A potential security issue in flow control handling by the browser over HTTP/2 may cause overhead or a denial of service in the server. This flaw exists because of an incomplete fix for CVE-2021-3629. Se ha encontrado un fallo en Undertow. Un posible problema de seguridad en la administración del control de flujo por parte del navegador sobre HTTP/2 puede causar una sobrecarga o una denegación de servicio en el servidor. • https://access.redhat.com/security/cve/CVE-2022-1259 • CWE-400: Uncontrolled Resource Consumption CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 8.8EPSS: 0%CPEs: 1EXPL: 0CVE-2022-2256 – Visualizer: Tables and Charts Manager for WordPress <= 3.7.9 - Authenticated (Contributor+) PHAR Deserialization
https://notcve.org/view.php?id=CVE-2022-2256
05 Jul 2022 — A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. Se ha encontrado una vulnerabilidad de tipo Cross-site scripting (XSS) Almacenado en keycloak tal y como es suministrado en Red Hat Single Sign-On versión 7. Este fallo permite a un atacante privilegiado ejecutar scripts maliciosos en la consola de administración, abus... • https://bugzilla.redhat.com/show_bug.cgi?id=2101942 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') CWE-502: Deserialization of Untrusted Data •
CVSS: 7.8EPSS: 0%CPEs: 15EXPL: 0CVE-2022-1319 – undertow: Double AJP response for 400 from EAP 7 results in CPING failures
https://notcve.org/view.php?id=CVE-2022-1319
07 Jun 2022 — A flaw was found in Undertow. For an AJP 400 response, EAP 7 is improperly sending two response packets, and those packets have the reuse flag set even though JBoss EAP closes the connection. A failure occurs when the connection is reused after a 400 by CPING since it reads in the second SEND_HEADERS response packet instead of a CPONG. Se ha encontrado un fallo en Undertow. Para una respuesta AJP 400, EAP 7 envía inapropiadamente el flag de reúso habilitado aunque JBoss EAP cierra la conexión. es producido ... • https://access.redhat.com/security/cve/CVE-2022-1319 • CWE-252: Unchecked Return Value •
CVSS: 7.8EPSS: 0%CPEs: 4EXPL: 0CVE-2022-0084 – xnio: org.xnio.StreamConnection.notifyReadClosed log to debug instead of stderr
https://notcve.org/view.php?id=CVE-2022-0084
12 May 2022 — A flaw was found in XNIO, specifically in the notifyReadClosed method. The issue revealed this method was logging a message to another expected end. This flaw allows an attacker to send flawed requests to a server, possibly causing log contention-related performance concerns or an unwanted disk fill-up. Se ha encontrado un fallo en XNIO, concretamente en el método notifyReadClosed. El problema reveló que este método estaba registrando un mensaje a otro extremo esperado. • https://access.redhat.com/security/cve/CVE-2022-0084 • CWE-770: Allocation of Resources Without Limits or Throttling •
CVSS: 6.5EPSS: 0%CPEs: 2EXPL: 2CVE-2022-1466 – keycloak: Improper authorization for master realm
https://notcve.org/view.php?id=CVE-2022-1466
26 Apr 2022 — Due to improper authorization, Red Hat Single Sign-On is vulnerable to users performing actions that they should not be allowed to perform. It was possible to add users to the master realm even though no respective permission was granted. Debido a una autorización inapropiada, Red Hat Single Sign-On es vulnerable a que usuarios lleven a cabo acciones que no deberían estar autorizados a realizar. Era posible añadir usuarios al reino maestro aunque no sea concedido el permiso correspondiente A flaw was found ... • https://bugzilla.redhat.com/show_bug.cgi?id=2050228 • CWE-863: Incorrect Authorization CWE-1220: Insufficient Granularity of Access Control •
CVSS: 7.5EPSS: 0%CPEs: 5EXPL: 1CVE-2022-0853 – jboss-client: memory leakage in remote client transaction
https://notcve.org/view.php?id=CVE-2022-0853
11 Mar 2022 — A flaw was found in JBoss-client. The vulnerability occurs due to a memory leak on the JBoss client-side, when using UserTransaction repeatedly and leads to information leakage vulnerability. Se ha encontrado un fallo en JBoss-client. La vulnerabilidad es producida debido a una pérdida de memoria en el lado del cliente de JBoss, cuando es usado UserTransaction repetidamente y conlleva a una vulnerabilidad de filtrado de información A flaw was found in the jboss-client. A memory leak on the JBoss client-side... • https://github.com/ByteHackr/CVE-2022-0853 • CWE-401: Missing Release of Memory after Effective Lifetime •
CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2021-3859 – undertow: client side invocation timeout raised when calling over HTTP2
https://notcve.org/view.php?id=CVE-2021-3859
03 Feb 2022 — A flaw was found in Undertow that tripped the client-side invocation timeout with certain calls made over HTTP2. This flaw allows an attacker to carry out denial of service attacks. Se ha encontrado un fallo en Undertow que dispara el tiempo de espera de la invocación del lado del cliente con determinadas llamadas realizadas a través de HTTP2. Este fallo permite a un atacante realizar ataques de denegación de servicio. Red Hat Single Sign-On is an integrated sign-on solution, available as a Red Hat JBoss Mi... • https://access.redhat.com/security/cve/CVE-2021-3859 • CWE-214: Invocation of Process Using Visible Sensitive Information CWE-668: Exposure of Resource to Wrong Sphere •