Stored XSS Vulnerability in Keycloak Admin Console
CVE-2024-4028

3.8LOW

Key Information:

Vendor: Red Hat
Status: Red Hat Build Of Keycloak; Red Hat Single Sign-on 7
Vendor: CVE Published:; 18 February 2025

Summary

A vulnerability in Keycloak has been identified that may allow an attacker with elevated privileges to execute a stored cross-site scripting (XSS) attack. This issue arises when an attacker provides a malicious payload during the creation of resources and permissions in the admin console. If successful, this could lead to unauthorized actions and data exposure within the Keycloak environment, giving attackers the ability to manipulate the application behavior when the malicious payload is executed in the context of an unsuspecting user.

References

https://access.redhat.com/security/cve/CVE-2024-4028

vdb-entryx_refsource_REDHAT

https://bugzilla.redhat.com/show_bug.cgi?id=2276418

issue-trackingx_refsource_REDHAT

CVSS V3.1

Score:

3.8

Severity:

LOW

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Feb 18, 2025
Vulnerability Reserved
Apr 22, 2024