CVE-2022-2256

CWE-79 — Cross-site Scripting (XSS)CWE-364 CWE-908 — Use of Uninitialized Resource10 documents6 sources

Severity

3.8LOW

EPSS

0.9%

top 24.62%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Redhat Single Sign-on

Timeline

PublishedSep 1

Latest updateDec 24

Description

A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7. This flaw allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:NExploitability: 1.2 | Impact: 2.5

Affected Packages3 packages

▶NVDredhat/single_sign-on7.0

▶Mavenorg.keycloak:keycloak-parent< 19.0.2

▶CVEListV5keycloakkeycloak as shipped in Red Hat Single Sign-On 7

🔴Vulnerability Details

OSV

mrp: introduce active flags to prevent UAF when applicant uninit↗2025-12-24

▶

GHSA

Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles↗2022-09-23

▶

OSV

Keycloak vulnerable to Stored Cross site Scripting (XSS) when loading default roles↗2022-09-23

▶

CVEList

CVE-2022-2256: A Stored Cross-site scripting (XSS) vulnerability was found in keycloak as shipped in Red Hat Single Sign-On 7↗2022-09-01

▶

📋Vendor Advisories

Red Hat

kernel: tipc: check attribute length for bearer name↗2025-02-26

▶

Red Hat

keycloak: improper input validation permits script injection↗2022-06-28

▶