Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Summary

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.

Impact

Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.

References

Please refer to the Keycloak Security mailing list for more information.

Published: Nov 29, 2022
Updated: Apr 14, 2023
GHSA: GHSA-755v-r4x4-qf7m
Severity: Medium
Exploit:

No technical information available.

CWEs:

CWE-80

Affected Software
References

Software	From	Fixed in
org.keycloak / keycloak-core	-	20.0.0

https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m

Vulnerability Database

289,599

Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Summary

Impact

References