Skip to content

Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Moderate severity GitHub Reviewed Published Nov 24, 2022 in keycloak/keycloak • Updated Jan 9, 2023

Package

maven org.keycloak:keycloak-core (Maven)

Affected versions

< 20.0.0

Patched versions

20.0.0

Description

Summary

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.

Impact

Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.

References

  • Please refer to the Keycloak Security mailing list for more information.

References

@abstractj abstractj published to keycloak/keycloak Nov 24, 2022
Published to the GitHub Advisory Database Nov 29, 2022
Reviewed Nov 29, 2022
Last updated Jan 9, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-755v-r4x4-qf7m

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.