CVE-2022-1274Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in Redhat Keycloak

CWE-80Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)CWE-79Cross-site Scripting5 documents5 sources
Severity
5.4MEDIUMNVD
EPSS
1.0%
top 23.23%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Redhat KeycloakRedhat Single Sign-onRedhat Openshift Container Platform
Timeline
PublishedMar 29

Description

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:NExploitability: 2.3 | Impact: 2.7

Affected Packages3 packages

NVDredhat/keycloak< 20.0.5
CVEListV5redhat/keycloakunknown
NVDredhat/single_sign-on7.67.6.2

Also affects: Openshift Container Platform 4.10, 4.9

🔴Vulnerability Details

3
CVEList
CVE-2022-1274: A flaw was found in Keycloak in the execute-actions-email endpoint2023-03-29
OSV
HTML Injection in Keycloak Admin REST API2023-03-01
GHSA
HTML Injection in Keycloak Admin REST API2023-03-01

📋Vendor Advisories

1
Red Hat
keycloak: HTML injection in execute-actions-email Admin REST API2023-02-28