It was found that keycloak would accept a HOST header URL in the admin console and use it to determine web resource locations. An attacker could use this flaw against an authenticated user to attain reflected XSS via a malicious server. Upstream issue: https://issues.jboss.org/browse/KEYCLOAK-5225
Acknowledgments: Name: Mykhailo Stadnyk (Playtech)
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2017:2906 https://access.redhat.com/errata/RHSA-2017:2906
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 6 Via RHSA-2017:2904 https://access.redhat.com/errata/RHSA-2017:2904
This issue has been addressed in the following products: Red Hat Single Sign-On 7.1 for RHEL 7 Via RHSA-2017:2905 https://access.redhat.com/errata/RHSA-2017:2905