Skip to content

HTML Injection in Keycloak Admin REST API

Moderate
abstractj published GHSA-m4fv-gm5m-4725 Feb 27, 2023

Package

maven org.keycloak.services (Maven)

Affected versions

< 20.0.5

Patched versions

20.0.5

Description

The "execute-actions-email" endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users.

Severity

Moderate

CVE ID

CVE-2022-1274

Weaknesses