Cross-site Scripting in keycloak

GHSA-484q-784p-8m5h · CVE-2020-10776

Published Feb 9, 2022 · Modified Apr 22, 2024

Description

A flaw was found in Keycloak before version 12.0.0, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.

References

4.8 / 10

MEDIUM CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Affected Packages

Maven/org.keycloak:keycloak-server-spi-private

Fix 12.0.0

Introduced 0

57 affected versions

10.0.010.0.110.0.211.0.011.0.111.0.211.0.32.4.0.CR12.4.0.Final2.5.0.CR12.5.0.Final2.5.1.Final2.5.4.Final2.5.5.Final3.0.0.CR13.0.0.Final3.1.0.CR13.1.0.Final3.2.0.CR13.2.0.Final +37 more

Maven/org.keycloak:keycloak-services

Fix 12.0.0

Introduced 0

117 affected versions

1.0-alpha-11.0-alpha-1-120620131.0-alpha-21.0-alpha-31.0-alpha-41.0-beta-11.0-beta-1-201505211.0-beta-1-201505231.0-beta-21.0-beta-31.0-beta-41.0-final1.0-rc-11.0-rc-21.0.1.Final1.0.2.Final1.0.3.Final1.0.4.Final1.0.5.Final1.1.0.Beta1 +97 more

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes