Keycloak vulnerable to cross-site scripting when validating URI-schemes on SAML and OIDC
Description
Published to the GitHub Advisory Database
Jun 30, 2023
Reviewed
Jun 30, 2023
Published by the National Vulnerability Database
Jul 7, 2023
Last updated
Nov 6, 2023
Credits
-
magicOz Analyst
AssertionConsumerServiceURL is a Java implementation for SAML Service Providers (org.keycloak.protocol.saml). Affected versions of this package are vulnerable to Cross-site Scripting (XSS).
AssertionConsumerServiceURL allows XSS when sending a crafted SAML XML request.
References