A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. This can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete KC instance.
Metrics
Affected Vendors & Products
References
History
Thu, 19 Sep 2024 08:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
Thu, 29 Aug 2024 19:00:00 +0000
Type | Values Removed | Values Added |
---|---|---|
References |
|
Thu, 29 Aug 2024 06:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
CPEs | cpe:/a:redhat:jboss_enterprise_bpms_platform:7.13 |
MITRE
Status: PUBLISHED
Assigner: redhat
Published: 2024-04-25T16:02:03.267Z
Updated: 2024-12-23T09:37:38.299Z
Reserved: 2023-12-12T07:30:43.924Z
Link: CVE-2023-6717
Vulnrichment
Updated: 2024-08-02T08:35:14.887Z
NVD
Status : Awaiting Analysis
Published: 2024-04-25T16:15:10.653
Modified: 2024-11-21T08:44:24.813
Link: CVE-2023-6717
Redhat