logo

Database

Reflected cross-site scripting (XSS) In org.keycloak:keycloak-core

Description

JBoss KeyCloak Cross-site Scripting Vulnerability If a JBoss Keycloak application was configured to use * as a permitted web origin in the Keycloak administrative console, crafted requests to the login-status-iframe.html endpoint could inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-site scripting (XSS) vulnerability.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. CVE-2014-36562. NVD-2014-36563. OSV-2014-36564. GCVE-2014-36565. ACCESS-cve-2014-3656

References

1. https://github.com/keycloak/keycloak/commit/63b41e2548cbc20bd3758e34a82d880e177bf24c2. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2014-36563. https://issues.jboss.org/browse/KEYCLOAK-7034. https://github.com/shoucheng3/keycloak__keycloak_CVE-2014-3656_1-0-5-Final

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.