Description

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

Remediation

References

https://bugzilla.redhat.com/show_bug.cgi?id=2073157

https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725

https://herolab.usd.de/security-advisories/usd-2021-0033/

Related Vulnerabilities

CVE-2021-3632 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2022-36920 Vulnerability in maven package org.jenkins-ci.plugins:coverity

CVE-2023-29216 Vulnerability in maven package org.apache.linkis:linkis-engineplugin-jdbc

CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2020-10687 Vulnerability in maven package io.undertow:undertow-core

Severity

Medium

Classification

CWE-79 CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

Tags

Issue Tracking Vendor Advisory Third Party Advisory