Описание
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
A flaw was found during the assessment of the Admin Console application for Keycloak, where it was found that Application Links to external applications are not validated properly. An attacker could use this flaw to cause Stored XSS attacks.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Fuse 7 | keycloak | Not affected | ||
| Red Hat Mobile Application Platform 4 | keycloak | Out of support scope | ||
| Red Hat OpenShift Application Runtimes | keycloak | Affected | ||
| Red Hat Single Sign-On 7 | rh-sso7-keycloak | Affected | ||
| Red Hat support for Spring Boot | keycloak | Affected | ||
| Red Hat Runtimes Spring Boot 2.2.6 | keycloak | Fixed | RHSA-2020:2252 | 01.06.2020 |
| Red Hat Single Sign-On 7.3 | Fixed | RHSA-2020:0445 | 06.02.2020 | |
| Text-Only RHOAR | Fixed | RHSA-2020:2905 | 23.07.2020 |
Показывать по
Дополнительная информация
Статус:
EPSS
6.1 Medium
CVSS3
Связанные уязвимости
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
It was found in all keycloak versions before 9.0.0 that links to exter ...
EPSS
6.1 Medium
CVSS3