A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:HRed Hat Keycloak
APPRedhat< 12.0.3
Related vulnerabilities
Keycloak, an open-source identity and access management solution, has a cross-site scripting (XSS) vulnerabili...
keycloak: path traversal via double URL encoding. A flaw was found in Keycloak, where it does not properly val...
A privilege escalation flaw was found in the token exchange feature of keycloak. Missing authorization allows ...
A flaw was found in keycloack before version 8.0.0. The owner of 'placeholder.org' domain can setup mail serve...
A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS ...