Headline
GHSA-8rmm-gm28-pj8q: Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.
Acknowledgements:
Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2023-6717
Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow
High severity GitHub Reviewed Published Apr 17, 2024 in keycloak/keycloak • Updated Apr 17, 2024
Package
maven org.keycloak:keycloak-services (Maven)
Affected versions
< 22.0.10
>= 23.0.0, < 24.0.3
Patched versions
22.0.10
24.0.3
Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).
Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.
Acknowledgements:
Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.
References
- GHSA-8rmm-gm28-pj8q
Published to the GitHub Advisory Database
Apr 17, 2024
Last updated
Apr 17, 2024
Related news
Red Hat Security Advisory 2024-4057-03 - Release of OpenShift Serverless Logic 1.33.0. Issues addressed include cross site scripting and denial of service vulnerabilities.
Red Hat Security Advisory 2024-1868-03 - An update is now available for Red Hat build of Keycloak. Issues addressed include bypass, cross site scripting, and denial of service vulnerabilities.