Search for packages
| purl | pkg:npm/keycloak-connect@4.0.0%2BBeta2 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 3.1 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-ffj8-xhcs-7kfx
Aliases: CVE-2018-14655 GHSA-458h-wv48-fq75 |
Keycloak vulnerable to cross-site scripting via the state parameter A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using `response_mode=form_post` it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login. |
Affected by 32 other vulnerabilities. Affected by 32 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2025-07-31T09:23:33.740706+00:00 | GitLab Importer | Affected by | VCID-ffj8-xhcs-7kfx | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keycloak-connect/CVE-2018-14655.yml | 37.0.0 |