Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2023-6717

Summary
Assigner-redhat
Assigner Org ID-53f830b8-0a3f-465b-8143-3b8a9948e749
Published At-25 Apr, 2024 | 16:02
Updated At-26 Aug, 2025 | 06:25
Rejected At-
Credits

Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:redhat
Assigner Org ID:53f830b8-0a3f-465b-8143-3b8a9948e749
Published At:25 Apr, 2024 | 16:02
Updated At:26 Aug, 2025 | 06:25
Rejected At:
▼CVE Numbering Authority (CNA)
Keycloak: xss via assertion consumer service url in saml post-binding flow

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

Affected Products
Collection URL
https://github.com/keycloak/keycloak
Package Name
keycloak
Default Status
unaffected
Versions
Affected
  • From 0 before 22.0.10 (maven)
  • From 24.0.0 before 24.0.3 (maven)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat AMQ Broker 7
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:amq_broker:7.12
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Keycloak 22
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
rhbk/keycloak-operator-bundle
CPEs
  • cpe:/a:redhat:build_keycloak:22::el9
Default Status
affected
Versions
Unaffected
  • From 22.0.10-1 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Keycloak 22
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
rhbk/keycloak-rhel9
CPEs
  • cpe:/a:redhat:build_keycloak:22::el9
Default Status
affected
Versions
Unaffected
  • From 22-13 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Keycloak 22
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
rhbk/keycloak-rhel9-operator
CPEs
  • cpe:/a:redhat:build_keycloak:22::el9
Default Status
affected
Versions
Unaffected
  • From 22-16 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Keycloak 22.0.10
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:build_keycloak:22
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-data-index-ephemeral-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-data-index-postgresql-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-jobs-service-ephemeral-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-jobs-service-postgresql-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-kn-workflow-cli-artifacts-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-operator-bundle
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-rhel8-operator
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-3 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-swf-builder-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHOSS-1.33-RHEL-8
Collection URL
https://catalog.redhat.com/software/containers/
Package Name
openshift-serverless-1/logic-swf-devmode-rhel8
CPEs
  • cpe:/a:redhat:openshift_serverless:1.33::el8
Default Status
affected
Versions
Unaffected
  • From 1.33.0-5 before * (rpm)
Vendor
Red Hat, Inc.Red Hat
Product
RHPAM 7.13.5 async
Collection URL
https://access.redhat.com/downloads/content/package-browser/
CPEs
  • cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Migration Toolkit for Applications 6
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
mta/mta-ui-rhel9
CPEs
  • cpe:/a:redhat:migration_toolkit_applications:6
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Migration Toolkit for Applications 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
mta/mta-ui-rhel9
CPEs
  • cpe:/a:redhat:migration_toolkit_applications:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Apicurio Registry 2
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:service_registry:2
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat build of Quarkus
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
org.keycloak/keycloak-core
CPEs
  • cpe:/a:redhat:quarkus:2
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Data Grid 8
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_data_grid:8
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Decision Manager 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_brms_platform:7
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Developer Hub
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
rhdh/rhdh-hub-rhel9
CPEs
  • cpe:/a:redhat:rhdh:1
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Fuse 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_fuse:7
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Data Grid 7
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_data_grid:7
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform 6
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_application_platform:6
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform 6
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
org.keycloak-keycloak-parent
CPEs
  • cpe:/a:redhat:jboss_enterprise_application_platform:6
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform 6
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
rh-sso7-keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_application_platform:6
Default Status
unknown
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform 7
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_application_platform:7
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform 8
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_application_platform:8
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat JBoss Enterprise Application Platform Expansion Pack
Collection URL
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jbosseapxp
Default Status
unaffected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat OpenShift GitOps
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
openshift-gitops-1/gitops-rhel8-operator
CPEs
  • cpe:/a:redhat:openshift_gitops:1
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Process Automation 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
keycloak
CPEs
  • cpe:/a:redhat:jboss_enterprise_bpms_platform:7
Default Status
affected
Vendor
Red Hat, Inc.Red Hat
Product
Red Hat Single Sign-On 7
Collection URL
https://access.redhat.com/downloads/content/package-browser/
Package Name
rh-sso7-keycloak
CPEs
  • cpe:/a:redhat:red_hat_single_sign_on:7
Default Status
affected
Problem Types
TypeCWE IDDescription
CWECWE-79Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Type: CWE
CWE ID: CWE-79
Description: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Metrics
VersionBase scoreBase severityVector
3.16.0MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 6.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Metrics Other Info
Red Hat severity rating
value:
Moderate
namespace:
https://access.redhat.com/security/updates/classification/
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Reported to Red Hat.2023-12-11 00:00:00
Made public.2024-04-16 00:00:00
Event: Reported to Red Hat.
Date: 2023-12-11 00:00:00
Event: Made public.
Date: 2024-04-16 00:00:00
Replaced By
Rejected Reason
References
HyperlinkResource
https://access.redhat.com/errata/RHSA-2024:1353
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1867
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:1868
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:2945
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/errata/RHSA-2024:4057
vendor-advisory
x_refsource_REDHAT
https://access.redhat.com/security/cve/CVE-2023-6717
vdb-entry
x_refsource_REDHAT
https://bugzilla.redhat.com/show_bug.cgi?id=2253952
issue-tracking
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1353
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1867
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1868
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2024:2945
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/errata/RHSA-2024:4057
Resource:
vendor-advisory
x_refsource_REDHAT
Hyperlink: https://access.redhat.com/security/cve/CVE-2023-6717
Resource:
vdb-entry
x_refsource_REDHAT
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2253952
Resource:
issue-tracking
x_refsource_REDHAT
▼Authorized Data Publishers (ADP)
1. CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
2. CVE Program Container
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://access.redhat.com/errata/RHSA-2024:1867
vendor-advisory
x_refsource_REDHAT
x_transferred
https://access.redhat.com/errata/RHSA-2024:1868
vendor-advisory
x_refsource_REDHAT
x_transferred
https://access.redhat.com/errata/RHSA-2024:2945
vendor-advisory
x_refsource_REDHAT
x_transferred
https://access.redhat.com/errata/RHSA-2024:4057
vendor-advisory
x_refsource_REDHAT
x_transferred
https://access.redhat.com/security/cve/CVE-2023-6717
vdb-entry
x_refsource_REDHAT
x_transferred
https://bugzilla.redhat.com/show_bug.cgi?id=2253952
issue-tracking
x_refsource_REDHAT
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1867
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1868
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2024:2945
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: https://access.redhat.com/errata/RHSA-2024:4057
Resource:
vendor-advisory
x_refsource_REDHAT
x_transferred
Hyperlink: https://access.redhat.com/security/cve/CVE-2023-6717
Resource:
vdb-entry
x_refsource_REDHAT
x_transferred
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2253952
Resource:
issue-tracking
x_refsource_REDHAT
x_transferred
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:secalert@redhat.com
Published At:25 Apr, 2024 | 16:15
Updated At:29 Aug, 2024 | 19:15

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.16.0MEDIUM
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 6.0
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-79Primarysecalert@redhat.com
CWE ID: CWE-79
Type: Primary
Source: secalert@redhat.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://access.redhat.com/errata/RHSA-2024:1353secalert@redhat.com
N/A
https://access.redhat.com/errata/RHSA-2024:1867secalert@redhat.com
N/A
https://access.redhat.com/errata/RHSA-2024:1868secalert@redhat.com
N/A
https://access.redhat.com/errata/RHSA-2024:2945secalert@redhat.com
N/A
https://access.redhat.com/errata/RHSA-2024:4057secalert@redhat.com
N/A
https://access.redhat.com/security/cve/CVE-2023-6717secalert@redhat.com
N/A
https://bugzilla.redhat.com/show_bug.cgi?id=2253952secalert@redhat.com
N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1353
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1867
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2024:1868
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2024:2945
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://access.redhat.com/errata/RHSA-2024:4057
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://access.redhat.com/security/cve/CVE-2023-6717
Source: secalert@redhat.com
Resource: N/A
Hyperlink: https://bugzilla.redhat.com/show_bug.cgi?id=2253952
Source: secalert@redhat.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

38Records found
CVE-2017-15125
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.25% / 47.71%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 15:00
Updated-05 Aug, 2024 | 19:50
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in CloudForms before 5.9.0.22 in the self-service UI snapshot feature where the name field is not properly sanitized for HTML and JavaScript input. An attacker could use this flaw to execute a stored XSS attack on an application administrator using CloudForms. Please note that CSP (Content Security Policy) prevents exploitation of this XSS however not all browsers support CSP.

Action-Not Available
Vendor-Red Hat, Inc.
Product-cloudforms_management_enginecloudforms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-1932
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.20% / 42.55%
||
7 Day CHG+0.02%
Published-07 Nov, 2024 | 10:00
Updated-08 Nov, 2024 | 19:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Hibernate-validator: rendering of invalid html with safehtml leads to html injection and xss

A flaw was found in hibernate-validator's 'isValid' method in the org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator class, which can be bypassed by omitting the tag ending in a less-than character. Browsers may render an invalid html, allowing HTML injection or Cross-Site-Scripting (XSS) attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss SOA Platform 5Red Hat AMQ Broker 7A-MQ Clients 2Red Hat JBoss BRMS 5Red Hat support for Spring BootRed Hat Process Automation 7Red Hat A-MQ OnlineRed Hat BPM Suite 6Red Hat Data Grid 8Red Hat JBoss Data Grid 7Red Hat Fuse 7streams for Apache KafkaRed Hat JBoss Fuse Service Works 6Red Hat JBoss Data Virtualization 6Red Hat JBoss Enterprise Application Platform Continuous DeliveryRed Hat JBoss Enterprise Application Platform 7Red Hat OpenStack Platform 10 (Newton)Red Hat Decision Manager 7Red Hat CodeReady Studio 12Red Hat JBoss Fuse 6Red Hat JBoss Operations Network 3Red Hat OpenStack Platform 13 (Queens)Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 5Red Hat JBoss Enterprise Application Platform 6Red Hat Satellite 6Cryostat 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2020-1697
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.28% / 51.24%
||
7 Day CHG~0.00%
Published-10 Feb, 2020 | 14:13
Updated-04 Aug, 2024 | 06:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-single_sign-onkeycloakkeycloak
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-12175
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-0.47% / 63.73%
||
7 Day CHG~0.00%
Published-26 Jul, 2018 | 17:00
Updated-05 Aug, 2024 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Red Hat Satellite before 6.5 is vulnerable to a XSS in discovery rule when you are entering filter and you use autocomplete functionality.

Action-Not Available
Vendor-Red Hat, Inc.
Product-satelliteSatellite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4137
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.1||HIGH
EPSS-0.39% / 59.44%
||
7 Day CHG~0.00%
Published-25 Sep, 2023 | 19:17
Updated-03 Aug, 2024 | 01:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: reflected xss attack

A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.

Action-Not Available
Vendor-Red Hat, Inc.
Product-single_sign-onkeycloakenterprise_linuxRed Hat Single Sign-On 7.6 for RHEL 8Red Hat Single Sign-On 7.6 for RHEL 7Red Hat Single Sign-On 7.6 for RHEL 9Red Hat Single Sign-On 7
CWE ID-CWE-81
Improper Neutralization of Script in an Error Message Web Page
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2016-8608
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.18% / 39.74%
||
7 Day CHG~0.00%
Published-01 Aug, 2018 | 14:00
Updated-06 Aug, 2024 | 02:27
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JBoss BRMS 6 and BPM Suite 6 are vulnerable to a stored XSS via business process editor. The flaw is due to an incomplete fix for CVE-2016-5398. Remote, authenticated attackers that have privileges to create business processes can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_bpm_suitejboss_business_rules_management_systemBRMS
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-11831
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.52% / 65.89%
||
7 Day CHG~0.00%
Published-10 Feb, 2025 | 15:27
Updated-20 Aug, 2025 | 22:34
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript

A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web application using this package.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat OpenShift Container Platform 3.11Red Hat Advanced Cluster Security 4.4RHODF-4.18-RHEL-9Logging Subsystem for Red Hat OpenShiftRed Hat Ceph Storage 8Red Hat Process Automation 7RHODF-4.16-RHEL-9Red Hat JBoss Enterprise Application Platform 7OpenShift Service Mesh 2Migration Toolkit for VirtualizationRed Hat Fuse 7OpenShift LightspeedRed Hat Enterprise Linux 10Red Hat Trusted Profile AnalyzerRed Hat Discovery 1Red Hat Quay 3Red Hat Satellite 6Cryostat 3Red Hat OpenShift Dev SpacesRed Hat JBoss Enterprise Application Platform 8RHODF-4.14-RHEL-9Red Hat Ansible Automation Platform 2Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat Data Grid 8Red Hat Enterprise Linux 8RHODF-4.15-RHEL-9Red Hat Enterprise Linux 9Red Hat 3scale API Management Platform 2RHODF-4.17-RHEL-9Red Hat Advanced Cluster Security 4.5Red Hat build of OptaPlanner 8Red Hat Developer Hub.NET 6.0 on Red Hat Enterprise LinuxRed Hat OpenShift distributed tracing 3Red Hat Single Sign-On 7Red Hat OpenShift AI (RHOAI)Red Hat Advanced Cluster Management for Kubernetes 2Red Hat OpenShift Container Platform 4Red Hat Ceph Storage 7OpenShift ServerlessRed Hat build of Apicurio Registry 2Red Hat build of Apache Camel - HawtIO 4Red Hat Advanced Cluster Security 4OpenShift PipelinesRed Hat Integration Camel K 1
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10234
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.41% / 60.82%
||
7 Day CHG~0.00%
Published-22 Oct, 2024 | 13:17
Updated-23 Jul, 2025 | 19:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Wildfly: wildfly vulnerable to cross-site scripting (xss)

A vulnerability was found in Wildfly, where a user may perform Cross-site scripting in the Wildfly deployment system. This flaw allows an attacker or insider to execute a deployment with a malicious payload, which could trigger undesired behavior against the server.

Action-Not Available
Vendor-Red Hat, Inc.
Product-build_of_keycloakjboss_enterprise_application_platformRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 8Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 8Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 7.4 for RHEL 9Red Hat JBoss Enterprise Application Platform 8.0 for RHEL 9RHEL-8 based Middleware ContainersRed Hat Single Sign-On 7.6 for RHEL 8Red Hat JBoss Enterprise Application Platform 8Red Hat Build of KeycloakRed Hat Fuse 7Red Hat Single Sign-On 7.6 for RHEL 9Red Hat Single Sign-On 7Red Hat JBoss Enterprise Application Platform 7.4 on RHEL 7Red Hat JBoss Enterprise Application Platform 7.4.23Red Hat Single Sign-On 7.6 for RHEL 7Red Hat JBoss Data Grid 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-4975
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-8.9||HIGH
EPSS-0.06% / 19.91%
||
7 Day CHG+0.01%
Published-27 Jan, 2025 | 13:47
Updated-28 Jan, 2025 | 20:32
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Rhacs: cross-site scripting in portal

A flaw was found in the Red Hat Advanced Cluster Security (RHACS) portal. When rendering a table view in the portal, for example, on any of the /main/configmanagement/* endpoints, the front-end generates a DOM table-element (id="pdf-table"). This information is then populated with unsanitized data using innerHTML. An attacker with some control over the data rendered can trigger a cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat Advanced Cluster Security 3
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-10033
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.07% / 20.56%
||
7 Day CHG~0.00%
Published-16 Oct, 2024 | 16:59
Updated-26 Mar, 2025 | 05:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Aap-gateway: xss on aap-gateway

A vulnerability was found in aap-gateway. A Cross-site Scripting (XSS) vulnerability exists in the gateway component. This flaw allows a malicious user to perform actions that impact users by using the "?next=" in a URL, which can lead to redirecting, injecting malicious script, stealing sessions and data.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_linuxansible_developeransible_insideansible_automation_platformRed Hat Ansible Automation Platform 2.5 for RHEL 8Red Hat Ansible Automation Platform 2.5 for RHEL 9
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6710
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.45% / 62.52%
||
7 Day CHG-0.18%
Published-12 Dec, 2023 | 22:01
Updated-06 Aug, 2025 | 07:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Mod_cluster/mod_proxy_cluster: stored cross site scripting

A flaw was found in the mod_proxy_cluster in the Apache server. This issue may allow a malicious user to add a script in the 'alias' parameter in the URL to trigger the stored cross-site scripting (XSS) vulnerability. By adding a script on the alias parameter on the URL, it adds a new virtual host and adds the script to the cluster-manager page.

Action-Not Available
Vendor-modclusterRed Hat, Inc.
Product-mod_proxy_clusterenterprise_linuxText-Only JBCSRed Hat Enterprise Linux 9JBoss Core Services for RHEL 8JBoss Core Services on RHEL 7Red Hat JBoss Core Services
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-6134
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-1.41% / 79.74%
||
7 Day CHG~0.00%
Published-14 Dec, 2023 | 21:42
Updated-07 Aug, 2025 | 11:11
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: reflected xss via wildcard in oidc redirect_uri

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

Action-Not Available
Vendor-Red Hat, Inc.
Product-single_sign-onopenshift_container_platform_ibm_z_systemsopenshift_container_platformkeycloakenterprise_linuxopenshift_container_platform_for_powerRed Hat Single Sign-On 7Red Hat Single Sign-On 7.6 for RHEL 7Red Hat Single Sign-On 7.6 for RHEL 8Red Hat build of Keycloak 22.0.7Single Sign-On 7.6.6RHEL-8 based Middleware ContainersRed Hat Single Sign-On 7.6 for RHEL 9Red Hat build of Keycloak 22
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2013-0186
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.40% / 59.96%
||
7 Day CHG~0.00%
Published-01 Nov, 2019 | 18:38
Updated-06 Aug, 2024 | 14:18
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Multiple cross-site scripting (XSS) vulnerabilities in ManageIQ EVM allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.

Action-Not Available
Vendor-ManageIQ EVMRed Hat, Inc.
Product-cloudformsmanageiq_enterprise_virtualization_managerManageIQ EVMRed Hat CloudForms 3.0
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-5198
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5||MEDIUM
EPSS-0.04% / 8.83%
||
7 Day CHG~0.00%
Published-27 May, 2025 | 20:51
Updated-30 Jul, 2025 | 20:15
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stackrox: xss in stackrox

A flaw was found in Stackrox, where it is vulnerable to Cross-site scripting (XSS) if the script code is included in a small subset of table cells. The only known potential exploit is if the script is included in the name of a Kubernetes “Role” object* that is applied to a secured cluster. This object can be used by a user with access to the cluster or through a compromised third-party product.

Action-Not Available
Vendor-stackroxRed Hat, Inc.
Product-advanced_cluster_securitystackroxRed Hat Advanced Cluster Security 4
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3971
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.3||HIGH
EPSS-0.44% / 62.42%
||
7 Day CHG~0.00%
Published-04 Oct, 2023 | 14:26
Updated-23 Nov, 2024 | 00:01
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Controller: html injection in custom login info

An HTML injection flaw was found in Controller in the user interface settings. This flaw allows an attacker to capture credentials by creating a custom login page by injecting HTML, resulting in a complete compromise.

Action-Not Available
Vendor-Red Hat, Inc.
Product-ansible_developeransible_automation_platformenterprise_linuxansible_insideansible_automation_controllerRed Hat Ansible Automation Platform 2.4 for RHEL 8Red Hat Ansible Automation Platform 2.3 for RHEL 8Red Hat Ansible Automation Platform 2.3 for RHEL 9Red Hat Ansible Automation Platform 2.4 for RHEL 9
CWE ID-CWE-80
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-3873
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.51% / 65.25%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 13:43
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that Picketlink as shipped with Jboss Enterprise Application Platform 7.2 would accept an xinclude parameter in SAMLresponse XML. An attacker could use this flaw to send a URL to achieve cross-site scripting or possibly conduct further attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_enterprise_application_platformsingle_sign-onenterprise_linuxpicketlink
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-3889
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.35% / 56.93%
||
7 Day CHG~0.00%
Published-11 Jul, 2019 | 18:27
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A reflected XSS vulnerability exists in authorization flow of OpenShift Container Platform versions: openshift-online-3, openshift-enterprise-3.4 through 3.7 and openshift-enterprise-3.9 through 3.11. An attacker could use this flaw to steal authorization data by getting them to click on a malicious link.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_container_platformatomic-openshift
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-3872
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 46.10%
||
7 Day CHG~0.00%
Published-12 Jun, 2019 | 13:45
Updated-04 Aug, 2024 | 19:19
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

It was found that a SAMLRequest containing a script could be processed by Picketlink versions shipped in Jboss Application Platform 7.2.x and 7.1.x. An attacker could use this to send a malicious script to achieve cross-site scripting and obtain unauthorized information or conduct further attacks.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_enterprise_application_platformsingle_sign-onenterprise_linuxpicketlink
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-19336
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.30% / 53.21%
||
7 Day CHG~0.00%
Published-19 Mar, 2020 | 13:11
Updated-05 Aug, 2024 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting vulnerability was reported in the oVirt-engine's OAuth authorization endpoint before version 4.3.8. URL parameters were included in the HTML response without escaping. This flaw would allow an attacker to craft malicious HTML pages that can run scripts in the context of the user's oVirt session.

Action-Not Available
Vendor-ovirtRed Hat, Inc.
Product-ovirt-enginevirtualizationovirt-engine
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2025-23366
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.03% / 7.95%
||
7 Day CHG~0.00%
Published-14 Jan, 2025 | 17:41
Updated-19 Mar, 2025 | 13:49
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Org.jboss.hal:hal-console: wildfly hal console cross-site scripting

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups “SuperUser”, “Admin”, or “Maintainer”.

Action-Not Available
Vendor-Red Hat, Inc.
Product-Red Hat JBoss Data Grid 7Red Hat JBoss Enterprise Application Platform Expansion PackRed Hat JBoss Enterprise Application Platform 7Red Hat JBoss Enterprise Application Platform 8
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14862
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.55% / 66.93%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 14:18
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a vulnerability in knockout before version 3.5.0-beta, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Action-Not Available
Vendor-knockoutjsOracle CorporationRed Hat, Inc.
Product-knockoutprocess_automationbusiness_intelligencegoldengatedecision_managerknockout
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-3384
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.26% / 48.97%
||
7 Day CHG~0.00%
Published-24 Jul, 2023 | 15:19
Updated-31 Jul, 2025 | 12:37
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Quay: stored cross site scripting

A flaw was found in the Quay registry. While the image labels created through Quay undergo validation both in the UI and backend by applying a regex (validation.py), the same validation is not performed when the label comes from an image. This flaw allows an attacker to publish a malicious image to a public registry containing a script that can be executed via Cross-site scripting (XSS).

Action-Not Available
Vendor-Red Hat, Inc.
Product-quayRed Hat Quay 3
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-14863
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-7.1||HIGH
EPSS-0.22% / 45.02%
||
7 Day CHG~0.00%
Published-02 Jan, 2020 | 14:20
Updated-05 Aug, 2024 | 00:26
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

There is a vulnerability in all angular versions before 1.5.0-beta.0, where after escaping the context of the web application, the web application delivers data to its users along with other trusted dynamic content, without validating it.

Action-Not Available
Vendor-Red Hat, Inc.AngularJS
Product-process_automationdecision_managerangular.jsangular:
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2023-0119
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.23% / 45.84%
||
7 Day CHG~0.00%
Published-12 Sep, 2023 | 15:14
Updated-02 Aug, 2024 | 05:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Foreman: stored cross-site scripting in host tab

A stored Cross-site scripting vulnerability was found in foreman. The Comment section in the Hosts tab has incorrect filtering of user input data. As a result of the attack, an attacker with an existing account on the system can steal another user's session, make requests on behalf of the user, and obtain user credentials.

Action-Not Available
Vendor-Red Hat, Inc.
Product-satelliteenterprise_linuxRed Hat Satellite 6.13 for RHEL 8Red Hat Satellite 6.14 for RHEL 8
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10146
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.7||MEDIUM
EPSS-0.26% / 49.25%
||
7 Day CHG~0.00%
Published-18 Mar, 2020 | 14:47
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A Reflected Cross Site Scripting flaw was found in all pki-core 10.x.x versions module from the pki-core server due to the CA Agent Service not properly sanitizing the certificate request page. An attacker could inject a specially crafted value that will be executed on the victim's browser.

Action-Not Available
Vendor-dogtagpkiRed Hat, Inc.
Product-enterprise_linuxdogtagpkipki-core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10215
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.43% / 61.62%
||
7 Day CHG~0.00%
Published-08 Oct, 2019 | 18:44
Updated-04 Aug, 2024 | 22:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Bootstrap-3-Typeahead after version 4.0.2 is vulnerable to a cross-site scripting flaw in the highlighter() function. An attacker could exploit this via user interaction to execute code in the user's browser.

Action-Not Available
Vendor-bootstrap-3-typeahead_projectRed Hat, Inc.
Product-bootstrap-3-typeaheadbootstrap3-typeahead.js
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2019-10177
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.40% / 59.87%
||
7 Day CHG~0.00%
Published-27 Jun, 2019 | 20:50
Updated-04 Aug, 2024 | 22:10
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A stored cross-site scripting (XSS) vulnerability was found in the PDF export component of CloudForms, versions 5.9 and 5.10, due to user input is not properly sanitized. An attacker with least privilege to edit compute is able to execute a XSS attack against other users, which could lead to malicious code execution and extraction of the anti-CSRF token of higher privileged users.

Action-Not Available
Vendor-Red Hat, Inc.
Product-cloudforms_management_engineCloudForms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2024-4812
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.8||MEDIUM
EPSS-0.08% / 24.17%
||
7 Day CHG~0.00%
Published-05 Jun, 2024 | 15:06
Updated-24 Dec, 2024 | 03:22
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Katello: potential cross-site scripting exploit in ui

A flaw was found in the Katello plugin for Foreman, where it is possible to store malicious JavaScript code in the "Description" field of a user. This code can be executed when opening certain pages, for example, Host Collections.

Action-Not Available
Vendor-katello_projectRed Hat, Inc.
Product-satellitekatelloRed Hat Satellite 6
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-14655
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.23% / 46.07%
||
7 Day CHG~0.00%
Published-13 Nov, 2018 | 19:00
Updated-05 Aug, 2024 | 09:38
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using 'response_mode=form_post' it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

Action-Not Available
Vendor-Red Hat, Inc.
Product-single_sign-onkeycloaklinuxkeycloak
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-1438
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.4||MEDIUM
EPSS-0.15% / 36.42%
||
7 Day CHG~0.00%
Published-20 Sep, 2023 | 13:34
Updated-24 Sep, 2024 | 15:06
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Keycloak: xss on impersonation under specific circumstances

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

Action-Not Available
Vendor-Red Hat, Inc.
Product-keycloakRed Hat Single Sign-On 7.6 for RHEL 7Red Hat Single Sign-On 7.6 for RHEL 9Red Hat Single Sign-On 7.6 for RHEL 8RHEL-8 based Middleware ContainersRed Hat Single Sign-On 7
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-10854
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.5||MEDIUM
EPSS-0.26% / 49.26%
||
7 Day CHG~0.00%
Published-22 Nov, 2019 | 11:51
Updated-05 Aug, 2024 | 07:46
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

cloudforms version, cloudforms 5.8 and cloudforms 5.9, is vulnerable to a cross-site-scripting. A flaw was found in CloudForms's v2v infrastructure mapping delete feature. A stored cross-site scripting due to improper sanitization of user input in Name field.

Action-Not Available
Vendor-Linux Kernel Organization, IncRed Hat, Inc.
Product-cloudforms_management_enginelinux_kernelcloudforms
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-10937
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.42% / 60.89%
||
7 Day CHG~0.00%
Published-11 Sep, 2018 | 16:00
Updated-05 Aug, 2024 | 07:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross site scripting flaw exists in the tetonic-console component of Openshift Container Platform 3.11. An attacker with the ability to create pods can use this flaw to perform actions on the K8s API as the victim.

Action-Not Available
Vendor-Red Hat, Inc.
Product-openshift_container_platformOpenshift Container Platform
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2018-10934
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-5.4||MEDIUM
EPSS-0.44% / 62.23%
||
7 Day CHG~0.00%
Published-27 Mar, 2019 | 12:20
Updated-05 Aug, 2024 | 07:54
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) vulnerability was found in the JBoss Management Console versions before 7.1.6.CR1, 7.1.6.GA. Users with roles that can create objects in the application can exploit this to attack other privileged users.

Action-Not Available
Vendor-Red Hat, Inc.
Product-enterprise_linux_serversingle_sign-onjboss_enterprise_application_platformwildfly-core
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-7538
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-3.5||LOW
EPSS-0.25% / 47.71%
||
7 Day CHG~0.00%
Published-26 Jul, 2018 | 15:00
Updated-05 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) flaw was found in how an organization name is displayed in Satellite 5, before 5.8. A user able to change an organization's name could exploit this flaw to perform XSS attacks against other Satellite users.

Action-Not Available
Vendor-Red Hat, Inc.
Product-satelliteSatellite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-7514
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.3||MEDIUM
EPSS-0.21% / 42.79%
||
7 Day CHG~0.00%
Published-30 Jul, 2018 | 13:00
Updated-05 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

A cross-site scripting (XSS) flaw was found in how the failed action entry is processed in Red Hat Satellite before version 5.8.0. A user able to specify a failed action could exploit this flaw to perform XSS attacks against other Satellite users.

Action-Not Available
Vendor-Red Hat, Inc.
Product-satelliteRed Hat Satellite
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-7463
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.66% / 70.01%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 16:04
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a reflected XSS via artifact upload. A malformed XML file, if uploaded, causes an error message to appear that includes part of the bad XML code verbatim without filtering out scripts. Successful exploitation would allow execution of script code within the context of the affected user.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_bpm_suitebusiness-central
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2017-2674
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-6.1||MEDIUM
EPSS-0.18% / 39.74%
||
7 Day CHG~0.00%
Published-27 Jul, 2018 | 18:00
Updated-05 Aug, 2024 | 14:02
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

JBoss BRMS 6 and BPM Suite 6 before 6.4.3 are vulnerable to a stored XSS via several lists in Business Central. The flaw is due to lack of sanitation of user input when creating new lists. Remote, authenticated attackers that have privileges to create lists can store scripts in them, which are not properly sanitized before showing to other users, including admins.

Action-Not Available
Vendor-Red Hat, Inc.
Product-jboss_bpm_suitebusiness-central
CWE ID-CWE-20
Improper Input Validation
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2022-3205
Matching Score-6
Assigner-Red Hat, Inc.
ShareView Details
Matching Score-6
Assigner-Red Hat, Inc.
CVSS Score-4.6||MEDIUM
EPSS-0.39% / 59.36%
||
7 Day CHG~0.00%
Published-13 Sep, 2022 | 19:19
Updated-03 Aug, 2024 | 01:00
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Controller: cross site scripting in automation controller ui

Cross site scripting in automation controller UI in Red Hat Ansible Automation Platform 1.2 and 2.0 where the project name is susceptible to XSS injection

Action-Not Available
Vendor-Red Hat, Inc.
Product-ansible_automation_platformRed Hat Ansible Automation Platform 1.2Red Hat Ansible Automation Platform 2
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Details not found