Improper Restriction of Rendered UI Layers or Frames

CVE-2020-1728

Medium

5.4/10

Summary

A vulnerability was found in keycloak-server-spi-private before version 10.0.0, keycloak-services before version 10.0.0 and all versions of Keycloak-broker-oidc where, the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: LOW
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

The web application does not restrict or incorrectly restricts frame objects or UI layers that belong to another application or domain, which can lead to user confusion about which interface the user is interacting with.

References

Advisory Timeline

Published Apr 06, 2020

Improper Restriction of Rendered UI Layers or Frames

CVE-2020-1728

Summary

CWE-1021 - Improper Restriction of Rendered UI Layers or Frames

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS