CVE-2023-6134

MEDIUM

Keycloak - Cross-Site Scripting

Title source: llm

Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

References (14)

Core 14

Core References

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7854

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7855

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7856

Exploit, Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7857

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7858

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7860

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2023:7861

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0798

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0799

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0800

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0801

Vendor Advisory vendor-advisory x_refsource_redhat

https://access.redhat.com/errata/RHSA-2024:0804

Vendor Advisory vdb-entry x_refsource_redhat

https://access.redhat.com/security/cve/CVE-2023-6134

Issue Tracking issue-tracking x_refsource_redhat

https://bugzilla.redhat.com/show_bug.cgi?id=2249673

Scores

CVSS v3 4.6

EPSS 0.0247

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (10)

org.keycloak/keycloak-services 0 - 23.0.3Maven

redhat/keycloak < 22.0.7

redhat/openshift_container_platform 4.11

redhat/openshift_container_platform 4.12

redhat/openshift_container_platform_for_power 4.9

redhat/openshift_container_platform_for_power 4.10

redhat/openshift_container_platform_ibm_z_systems 4.9

redhat/openshift_container_platform_ibm_z_systems 4.10

redhat/single_sign-on

redhat/single_sign-on < 7.6

Published Dec 14, 2023

Tracked Since Feb 18, 2026