CVE-2024-4028
LOWKeycloak - Stored Cross-Site Scripting via Admin Console Permission Payload
Title source: llmDescription
A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.
References (2)
Core 2
Core References
Vendor Advisory vdb-entry
x_refsource_redhat
https://access.redhat.com/security/cve/CVE-2024-4028
Issue Tracking issue-tracking
x_refsource_redhat
https://bugzilla.redhat.com/show_bug.cgi?id=2276418
Scores
CVSS v3
3.8
EPSS
0.0026
EPSS Percentile
48.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-20
Status
published
Products (3)
org.keycloak/keycloak-core
0Maven
Red Hat/Red Hat Build of Keycloak
Red Hat/Red Hat Single Sign-On 7
Published
Feb 18, 2025
Tracked Since
Feb 18, 2026