CVE-2020-1697

MEDIUM

Keycloak < 9.0.0 - Authenticated Stored Cross-Site Scripting via Application Links

Title source: llm

Description

It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.

References (1)

Core 1

Core References

Issue Tracking, Third Party Advisory x_refsource_confirm

https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1697

Scores

CVSS v3 6.1

EPSS 0.0028

EPSS Percentile 51.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (3)

org.keycloak/keycloak-core 0 - 9.0.0Maven

redhat/keycloak < 9.0.0

redhat/single_sign-on 7.3

Published Feb 10, 2020

Tracked Since Feb 18, 2026