CVE-2021-20195

CRITICAL

Keycloak < 13.0.0 - Stored Cross-Site Scripting via User-Supplied Data Fields

Title source: llm

Description

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

References (1)

Core 1

Core References

Issue Tracking, Vendor Advisory x_refsource_misc

https://bugzilla.redhat.com/show_bug.cgi?id=1919143

Scores

CVSS v3 9.6

EPSS 0.0031

EPSS Percentile 53.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Details

CWE

CWE-20 CWE-116

Status published

Products (2)

org.keycloak/keycloak-core 0 - 13.0.0Maven

redhat/keycloak < 12.0.3

Published May 28, 2021

Tracked Since Feb 18, 2026