Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS04cm1tLWdtMjgtcGo4cc4AA7I3

Moderate EPSS: 0.00042% (0.12378 Percentile) EPSS:
Permalink JSON

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

Affected Packages Affected Versions Fixed Versions
maven:org.keycloak:keycloak-services >= 23.0.0, < 24.0.3, < 22.0.10 24.0.3, 22.0.10
90 Dependent packages
561 Dependent repositories

Affected Version Ranges

All affected versions

5.0.0, 6.0.0, 6.0.1, 7.0.0, 7.0.1, 8.0.0, 8.0.1, 8.0.2, 9.0.0, 9.0.2, 9.0.3, 10.0.0, 10.0.1, 10.0.2, 11.0.0, 11.0.1, 11.0.2, 11.0.3, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.0.4, 13.0.0, 13.0.1, 14.0.0, 15.0.0, 15.0.1, 15.0.2, 15.1.0, 15.1.1, 16.0.0, 16.1.0, 16.1.1, 17.0.0, 17.0.1, 18.0.0, 18.0.1, 18.0.2, 19.0.0, 19.0.1, 19.0.2, 19.0.3, 20.0.0, 20.0.1, 20.0.2, 20.0.3, 20.0.4, 20.0.5, 21.0.0, 21.0.1, 21.0.2, 21.1.0, 21.1.1, 21.1.2, 22.0.0, 22.0.1, 22.0.2, 22.0.3, 22.0.4, 22.0.5, 23.0.0, 23.0.1, 23.0.2, 23.0.3, 23.0.4, 23.0.5, 23.0.6, 23.0.7, 24.0.0, 24.0.1, 24.0.2

All unaffected versions

24.0.3, 24.0.4, 24.0.5, 25.0.0, 25.0.1, 25.0.2, 25.0.3, 25.0.4, 25.0.5, 25.0.6, 26.0.0, 26.0.1, 26.0.2, 26.0.3, 26.0.4, 26.0.5, 26.0.6, 26.0.7, 26.0.8, 26.1.0, 26.1.1, 26.1.2, 26.1.3, 26.1.4, 26.1.5, 26.2.0, 26.2.1, 26.2.2, 26.2.3, 26.2.4, 26.2.5, 26.3.0, 26.3.1, 26.3.2

Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).

Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.

Acknowledgements:

Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.

References:

Identifiers

GHSA-8rmm-gm28-pj8q

CVE-2023-6717

Risk

Severity

Moderate

EPSS

EPSS Percentage: 0.00042

EPSS Percentile: 0.12378

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/keycloak/keycloak

Date and time

Published

over 1 year ago

Updated

11 months ago

API

JSON