CVE-2020-1697 – org.keycloak:keycloak-core

Package

Manager: maven
Name: org.keycloak:keycloak-core
Vulnerable Version: >=0 <9.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00283 pctl0.51253

Details

XSS in Keycloak It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

Metadata

Created: 2020-04-15T21:09:09Z
Modified: 2021-08-23T15:16:25Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/04/GHSA-8vf3-4w62-m3pq/GHSA-8vf3-4w62-m3pq.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-8vf3-4w62-m3pq
Finding: F425
Auto approve: 1