Vulnerability Details CVE-2020-10686
A flaw was found in Keycloak version 8.0.2 and 9.0.0, and was fixed in Keycloak version 9.0.1, where a malicious user registers as oneself. The attacker could then use the remove devices form to post different credential IDs and possibly remove MFA devices for other users.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 46.8%
CVSS Severity
CVSS v3 Score 4.1
CVSS v2 Score 6.5
References