CVE-2018-14655
keycloak: XSS-Vulnerability with response_mode=form_post
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
Se ha descubierto un error en Keycloak 3.4.3.Final, 4.0.0.Beta2 y 4.3.0.Final. Al emplear "response_mode=form_post", es posible inyectar código JavaScript arbitrario mediante el parámetro "state" en la URL de autenticación. Esto permite un ataque Cross-Site Scripting (XSS) al iniciar sesión exitosamente.
Red Hat Single Sign-On 7.2 is a standalone server, based on the Keycloak project, that provides authentication and standards-based single sign-on capabilities for web and mobile applications. This release of Red Hat Single Sign-On 7.2.5 serves as a replacement for Red Hat Single Sign-On 7.2.4, and includes bug fixes and enhancements, which are documented in the Release Notes document linked to in the References. Issues addressed include a cross site scripting vulnerability.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2018-07-27 CVE Reserved
- 2018-11-13 CVE Published
- 2024-08-05 CVE Updated
- 2025-05-06 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CAPEC
References (6)
| URL | Tag | Source |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://access.redhat.com/errata/RHSA-2018:3592 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:3593 | 2019-10-09 | |
| https://access.redhat.com/errata/RHSA-2018:3595 | 2019-10-09 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655 | 2019-10-09 | |
| https://access.redhat.com/security/cve/CVE-2018-14655 | 2018-11-13 | |
| https://bugzilla.redhat.com/show_bug.cgi?id=1625396 | 2018-11-13 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.2 Search vendor "Redhat" for product "Single Sign-on" and version "7.2" | - |
Affected
| in | Redhat Search vendor "Redhat" | Linux Search vendor "Redhat" for product "Linux" | 7.0 Search vendor "Redhat" for product "Linux" and version "7.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | 7.2 Search vendor "Redhat" for product "Single Sign-on" and version "7.2" | - |
Affected
| in | Redhat Search vendor "Redhat" | Linux Search vendor "Redhat" for product "Linux" | 6.0 Search vendor "Redhat" for product "Linux" and version "6.0" | - |
Safe
|
| Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | 3.4.3 Search vendor "Redhat" for product "Keycloak" and version "3.4.3" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | 4.0.0 Search vendor "Redhat" for product "Keycloak" and version "4.0.0" | beta2 |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Keycloak Search vendor "Redhat" for product "Keycloak" | 4.3.0 Search vendor "Redhat" for product "Keycloak" and version "4.3.0" | - |
Affected
| ||||||
| Redhat Search vendor "Redhat" | Single Sign-on Search vendor "Redhat" for product "Single Sign-on" | - | text-only |
Affected
| ||||||