GHSA-37j9-56gh-j2r7HighCVSS 7.3
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically...
🔗 CVE IDs covered (1)
📋 Description
A flaw was found in Keycloak. A remote attacker with administrative privileges, specifically those with manage-client permission or access to client registration endpoints, could bypass client Uniform Resource Identifier (URI) validation. This is achieved by registering a malicious client with a specially crafted redirect URI using a case-insensitive javascript: or data: scheme. This Cross-Site Scripting (XSS) vulnerability allows for arbitrary code execution in the Keycloak origin when a victim clicks the crafted link, such as in the logout flow or the Admin Console.