Description

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697

Related Vulnerabilities

CVE-2023-37944 Vulnerability in maven package org.datadog.jenkins.plugins:datadog

CVE-2020-8203 Vulnerability in maven package org.webjars:lodash

CVE-2022-39218 Vulnerability in npm package @fastly/js-compute

CVE-2020-36732 Vulnerability in maven package org.webjars.bower:crypto-js

CVE-2022-23080 Vulnerability in npm package directus

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Third Party Advisory