CVE-2020-1697

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

Published: Feb 10, 2020
Updated: Nov 8, 2023
CVE: CVE-2020-1697
GHSA: GHSA-8vf3-4w62-m3pq
Severity: Medium
Exploit:

CVSS v3:

Severity: Medium
Score: 5.4
AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v2:

Severity: Low
Score: 3.5
AV:N/AC:M/Au:S/C:N/I:P/A:N

CWEs:

CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
redhat / keycloak	-	9.0.0
redhat / single_sign-on	7.3	7.3.x
org.keycloak / keycloak-core	-	9.0.0

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697

Vulnerability Database

289,599

CVE-2020-1697