CVE-2018-14655

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'responsemode=formpost' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

References

Affected packages

Git / github.com/keycloak/keycloak

Affected ranges

Type

GIT

Repo

https://github.com/keycloak/keycloak

Events

Introduced

Last affected

517588ecca8e8749c70c7a28706fc405623617d3

Introduced

Last affected

58140c3560d17e0077cace60a44a41716009a3b8

Introduced

Last affected

b2269bd74dab4f95cc25c413fb7b06aa2bd678c3

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.4.3"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.0.0-beta2"
        },
        {
            "introduced": "0"
        },
        {
            "last_affected": "4.3.0"
        }
    ]
}

Affected versions

1.*

1.0-alpha-1

1.0-alpha-1-12062013

1.0-alpha-2

1.0-alpha-3

1.0-beta-1

1.0-beta-2

1.0-beta-4

1.0-final

1.0-rc-1

1.0.0.Final

1.1.0.Beta2

1.3.0.Final

2.*

2.4.0.Test

3.*

3.4.2.Final

3.4.3.Final

4.*

4.0.0.Beta2

4.3.0.Final

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2018-14655.json"

unresolved_ranges

[
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    },
    {
        "events": [
            {
                "introduced": "0"
            },
            {
                "last_affected": "7.2"
            }
        ]
    }
]