CVE-2021-20222

A flaw was found in keycloak. The new account console in keycloak can allow malicious code to be executed using the referrer URL. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Published: Mar 23, 2021
Updated: May 9, 2024
CVE: CVE-2021-20222
GHSA: GHSA-2mq8-99q7-55wx
Severity: High
Exploit:

CVSS v3:

Severity: High
Score: 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

CVSS v2:

Severity: Medium
Score: 5.1
AV:N/AC:H/Au:N/C:P/I:P/A:P

CWEs:

CWE-20
CWE-79

OWASP TOP 10:

A7 - Cross-Site Scripting (XSS)

Affected Software
References

Software	From	Fixed in
redhat / keycloak	9.0.0	13.0.0
org.keycloak / keycloak-parent	9.0.0	12.0.3

https://access.redhat.com/security/cve/cve-2021-20222
https://bugzilla.redhat.com/show_bug.cgi?id=1924606
https://github.com/keycloak/keycloak/commit/3b80eee5bfdf2b80c47465c0f2eaf70074808741

Vulnerability Database

289,599

CVE-2021-20222