Keycloak: reflected xss attack
CVE-2022-4137
8.1HIGH
Key Information:
- Vendor
- Red Hat
- Status
- Vendor
- CVE Published:
- 25 September 2023
Summary
A reflected cross-site scripting (XSS) vulnerability exists in Keycloak's 'oob' OAuth endpoint due to improper handling of null bytes. This security flaw enables attackers to craft malicious links that, when clicked by an unsuspecting user or administrator, result in the injection of arbitrary URIs into Keycloak error pages. Such exploitation may allow an attacker to manipulate or gather sensitive user information.
References
CVSS V3.1
Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Collectors
NVD DatabaseMitre Database