Vulnerabilities > Redhat > Keycloak > 1.9.8
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2020-02-10 | CVE-2020-1697 | Cross-site Scripting vulnerability in Redhat Keycloak It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. | 5.4 |
| 2020-01-08 | CVE-2019-14820 | Unspecified vulnerability in Redhat products It was found that keycloak before version 8.0.0 exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. | 4.3 |
| 2020-01-07 | CVE-2019-14837 | Use of Hard-coded Credentials vulnerability in Redhat Keycloak A flaw was found in keycloack before version 8.0.0. | 9.1 |
| 2019-10-15 | CVE-2019-14832 | Incorrect Authorization vulnerability in Redhat Keycloak A flaw was found in the Keycloak REST API before version 8.0.0 where it would permit user access from a realm the user was not configured. | 7.5 |
| 2019-08-14 | CVE-2019-10201 | Improper Verification of Cryptographic Signature vulnerability in Redhat Keycloak and Single Sign-On It was found that Keycloak's SAML broker, versions up to 6.0.1, did not verify missing message signatures. | 8.1 |
| 2019-08-14 | CVE-2019-10199 | Cross-Site Request Forgery (CSRF) vulnerability in Redhat Keycloak It was found that Keycloak's account console, up to 6.0.1, did not perform adequate header checks in some requests. | 8.8 |
| 2019-06-12 | CVE-2019-3875 | Improper Certificate Validation vulnerability in Redhat Keycloak and Single Sign-On A vulnerability was found in keycloak before 6.0.2. | 4.8 |
| 2019-06-12 | CVE-2019-10157 | Improper Authentication vulnerability in Redhat Keycloak and Single Sign-On It was found that Keycloak's Node.js adapter before version 4.8.3 did not properly verify the web token received from the server in its backchannel logout . | 5.5 |
| 2019-04-24 | CVE-2019-3868 | Information Exposure vulnerability in Redhat Keycloak Keycloak up to version 6.0.0 allows the end user token (access or id token JWT) to be used as the session cookie for browser sessions for OIDC. | 3.8 |
| 2018-11-30 | CVE-2018-14637 | Improper Authentication vulnerability in Redhat Keycloak The SAML broker consumer endpoint in Keycloak before version 4.6.0.Final ignores expiration conditions on SAML assertions. | 8.1 |