Cross-site Scripting (XSS)

2023-03-0219:11:36

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

125

keycloak

cross-site scripting

remote attacker

arbitrary uri

error page

null-byte handling

vulnerability

oauth

0.001 Low

EPSS

Percentile

37.1%

JSON

org.keycloak:keycloak-services is vulnerable to Cross-site Scripting (XSS) attacks. A remote attacker is able to insert an arbitrary URI into an error page via the oob OAuth endpoint due to incorrect null-byte handling.

CPENameOperatorVersion
keycloak rest servicesle20.0.4
rh-sso7-keycloakeq2.5.5__2.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq2.4.0__4.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq2.5.10__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq3.4.3__1.Final_redhat_2.1.jbcs.el7
rh-sso7-keycloakeq3.4.10__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq3.4.12__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq2.5.14__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloakeq2.5.15__2.Final_redhat_3.1.jbcs.el7
rh-sso7-keycloakeq2.5.7__1.Final_redhat_2.1.jbcs.el7

Name	Operator	Version
keycloak rest services	le	20.0.4
rh-sso7-keycloak	eq	2.5.5__2.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	2.4.0__4.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	2.5.10__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	3.4.3__1.Final_redhat_2.1.jbcs.el7
rh-sso7-keycloak	eq	3.4.10__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	3.4.12__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	2.5.14__1.Final_redhat_1.1.jbcs.el7
rh-sso7-keycloak	eq	2.5.15__2.Final_redhat_3.1.jbcs.el7
rh-sso7-keycloak	eq	2.5.7__1.Final_redhat_2.1.jbcs.el7