Skip to content

Reflected XSS on clients-registrations endpoint

Moderate severity GitHub Reviewed Published Apr 25, 2022 in keycloak/keycloak • Updated Jan 7, 2023

Package

maven org.keycloak:keycloak-parent (Maven)

Affected versions

>= 10.0.0, < 18.0.0

Patched versions

18.0.0

Description

A POST based reflected Cross Site Scripting vulnerability on has been identified in Keycloak. When a malicious request is sent to the client registration endpoint, the error message is not properly escaped, allowing an attacker to execute malicious scripts into the user's browser.

Acknowledgement

Keycloak would like to thank Quentin TEXIER (Pentester at Opencyber) for reporting this issue.

References

@abstractj abstractj published to keycloak/keycloak Apr 25, 2022
Published to the GitHub Advisory Database Apr 28, 2022
Reviewed Apr 28, 2022
Last updated Jan 7, 2023

Severity

Moderate

Weaknesses

CVE ID

No known CVE

GHSA ID

GHSA-m98g-63qj-fp8j

Source code

Checking history
See something to contribute? Suggest improvements for this vulnerability.