CVE-2017-12158

MEDIUM

Keycloak - Reflected XSS

Title source: llm

Description

It was found that Keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server.

References (5)

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101618

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2904

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2905

[Third Party Advisory] https://access.redhat.com/errata/RHSA-2017:2906

[Issue Tracking] https://bugzilla.redhat.com/show_bug.cgi?id=1489161

Scores

CVSS v3 5.4

EPSS 0.0067

EPSS Percentile 70.9%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Classification

CWE

CWE-444 CWE-79

Status draft

Affected Products (4)

redhat/single_sign_on

keycloak/keycloak

org.keycloak/keycloak-parent < 3.4.0Maven

Timeline

Published Oct 26, 2017

Tracked Since Feb 18, 2026