Keycloak: xss on impersonation under specific circumstances
CVE-2022-1438

6.4MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Single Sign-on 7; Red Hat Single Sign-on 7.6 For Rhel 7; Red Hat Single Sign-on 7.6 For Rhel 8; Red Hat Single Sign-on 7.6 For Rhel 9
Vendor: CVE Published:; 20 September 2023

Summary

A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.

References

https://access.redhat.com/errata/RHSA-2023:1043

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:1044

vendor-advisoryx_refsource_REDHAT

https://access.redhat.com/errata/RHSA-2023:1045

vendor-advisoryx_refsource_REDHAT

CVSS V3.1

Score:

6.4

Severity:

MEDIUM

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

High

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Sep 20, 2023
Vulnerability Reserved
Apr 22, 2022

Collectors

NVD DatabaseMitre Database

Credit

Red Hat would like to thank Grzegorz Tworek (SISOFT s.c.) for reporting this issue.