Keycloak: reflected xss attack
CVE-2022-4137

8.1HIGH

Summary

A reflected cross-site scripting (XSS) vulnerability exists in Keycloak's 'oob' OAuth endpoint due to improper handling of null bytes. This security flaw enables attackers to craft malicious links that, when clicked by an unsuspecting user or administrator, result in the injection of arbitrary URIs into Keycloak error pages. Such exploitation may allow an attacker to manipulate or gather sensitive user information.

References

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Collectors

NVD DatabaseMitre Database
.