Fluid Attacks Database

Description

Keycloak vulnerable to cross-site scripting via the state parameter A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using response_mode=form_post it is possible to inject arbitrary Javascript-Code via the 'state'-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.keycloak:keycloak-parent	>=0 <=3.4.3.final \|\| >=4.0.0.beta1 <=4.0.0.beta2 \|\| =4.3.0.final	-
maven	org.keycloak:keycloak-core	>=3.4.3.final <=4.3.9.final	-
npm	keycloak-connect	=3.4.3 \|\| =4.0.0-beta.2 \|\| =4.3.0	4.1.0, 4.4.0

Aliases

1. CVE-2018-146552. NVD-2018-146553. OSV-2018-146554. GHSA-458h-wv48-fq755. GCVE-2018-146556. access.redhat.com7. access.redhat.com8. access.redhat.com9. bugzilla.redhat.com

References

1. https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-14655