CVE-2021-20195

CRITICAL

Keycloak < 13.0.0 - Stored Cross-Site Scripting via User-Supplied Data Fields

Title source: llm
STIX 2.1

Description

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References (1)

Core 1
Core References
Issue Tracking, Vendor Advisory x_refsource_misc
https://bugzilla.redhat.com/show_bug.cgi?id=1919143

Scores

CVSS v3 9.6
EPSS 0.0125
EPSS Percentile 65.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE
CWE-116 CWE-20
Status published
Products (2)
org.keycloak/keycloak-core 0 - 13.0.0Maven
redhat/keycloak < 12.0.3
Published May 28, 2021
Tracked Since Feb 18, 2026