A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
WS-2022-0408 - Medium Severity Vulnerability
Keycloak SSO
Library home page: http://keycloak.org
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/keycloak/keycloak-core/11.0.0-alfresco-001/keycloak-core-11.0.0-alfresco-001.jar
Dependency Hierarchy: - :x: **keycloak-core-11.0.0-alfresco-001.jar** (Vulnerable Library)
Found in HEAD commit: 53019ef94e0bd9570f6d298f12cfbcfe3da234c2
Found in base branch: master
A Stored XSS vulnerability was reported in the Keycloak Security mailing list, affecting all the versions of Keycloak, including the latest release (16.0.1). The vulnerability allows a privileged attacker to execute malicious scripts in the admin console, abusing of the groups' dropdown functionality.
Publish Date: 2022-11-30
URL: WS-2022-0408
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: Required - Scope: Changed - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://github.com/advisories/GHSA-755v-r4x4-qf7m
Release Date: 2022-11-30
Fix Resolution: 20.0.0
Step up your Open Source Security Game with Mend here