[keycloak-user] Possible CSRF issue in account page.
Ushanas Shastri
ushanas at gmail.com
Thu Mar 23 08:13:36 EDT 2017
Hello,
We have a page where the user account details can be seen (the KeyCloak
realm/account page).
On that page, the user can update his email address etc.
As part of security testing, we found that this page is vulnerable to Cross
Site Request Forgery.
Is this a known issue, or should I report in JIRA?
Also, is there a way to configure some security options in KeyCloak to
prevent CSRF?
Regards, Ushanas.
On 23-Mar-2017 10:28 AM, "Ushanas Shastri" <ushanas at gmail.com> wrote:
Thank you, this works.
On 22 March 2017 at 21:39, Marko Strukelj <mstrukel at redhat.com> wrote:
> You can add a new admin user by using add-user-keycloak script:
> https://keycloak.gitbooks.io/documentation/content/server_ad
> min/topics/initialization.html.
>
> Then you can log into the Admin Console and set a new password for
> original admin user.
>
> On Wed, Mar 22, 2017 at 12:51 PM, Ushanas Shastri <ushanas at gmail.com>
> wrote:
>
>> Hello,
>> How do I reset the admin password? I don't have the admin password, and
>> want to be able to reset it like it was a new install.
>>
>> Regards, Ushanas.
>> _______________________________________________
>> keycloak-user mailing list
>> keycloak-user at lists.jboss.org
>> https://lists.jboss.org/mailman/listinfo/keycloak-user
>>
>
>
More information about the keycloak-user
mailing list