Description

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697

Related Vulnerabilities

CVE-2023-6291 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2020-7691 Vulnerability in maven package org.webjars.npm:jspdf

CVE-2020-6458 Vulnerability in npm package electron

CVE-2021-23419 Vulnerability in npm package open-graph

CVE-2019-10473 Vulnerability in maven package org.jenkins-ci.plugins:libvirt-slave

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Third Party Advisory