Stored XSS Vulnerability in Keycloak Admin Console by Red Hat
CVE-2020-1697

6.1MEDIUM

Key Information:

Vendor: Red Hat
Status: Keycloak
Vendor: CVE Published:; 10 February 2020

What is CVE-2020-1697?

A vulnerability exists in Keycloak versions prior to 9.0.0 related to improper validation of links to external applications within the admin console. This flaw can lead to stored XSS attacks, where an authenticated malicious user could craft misleading URLs that exploit victims in different realms. Successful exploitation could allow attackers to execute arbitrary scripts in the context of the user’s session, potentially compromising sensitive information and enabling further attacks.

Affected Version(s)

keycloak All versions before 9.0.0

References

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697

x_refsource_CONFIRM

CVSS V3.1

Score:

6.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 10, 2020
Vulnerability Reserved
Nov 27, 2019

JSON