CVE-2023-6717

MEDIUM

Keycloak < 22.0.10 - Stored Cross-Site Scripting via SAML Client Registration

Title source: llm
STIX 2.1

Description

A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.

References (7)

Core 7
Core References
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1353
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1867
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:1868
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:2945
Vendor Advisory vendor-advisory x_refsource_redhat
https://access.redhat.com/errata/RHSA-2024:4057
Vendor Advisory vdb-entry x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2023-6717
Issue Tracking issue-tracking x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2253952

Scores

CVSS v3 6.0
EPSS 0.0010
EPSS Percentile 27.6%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-79
Status published
Products (25)
org.keycloak/keycloak-services 0 - 22.0.10Maven
Red Hat/Migration Toolkit for Applications 6
Red Hat/Migration Toolkit for Applications 7
Red Hat/Red Hat AMQ Broker 7
Red Hat/Red Hat build of Apicurio Registry 2
Red Hat/Red Hat build of Keycloak 22 22-13
Red Hat/Red Hat build of Keycloak 22 22-16
Red Hat/Red Hat build of Keycloak 22 22.0.10-1
Red Hat/Red Hat build of Keycloak 22.0.10
Red Hat/Red Hat build of Quarkus
... and 15 more
Published Apr 25, 2024
Tracked Since Feb 18, 2026