MEDIUM 5.4
GHSA-m4fv-gm5m-4725
HTML Injection in Keycloak Admin REST API
Details
The `execute-actions-email` endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users.
Are you affected?
Enter the version of the package you're using.
Affected packages
Maven / org.keycloak:keycloak-services
Introduced in:
0 Fixed in: 20.0.5 Fix
# pom.xml: bump <version>20.0.5</version> for org.keycloak:keycloak-services References
- https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725 [WEB]
- https://nvd.nist.gov/vuln/detail/CVE-2022-1274 [ADVISORY]
- https://github.com/keycloak/keycloak/pull/16764 [WEB]
- https://github.com/keycloak/keycloak/commit/fc3c61235fa30132123c17ed8702ff7b3a672fe9 [WEB]
- https://bugzilla.redhat.com/show_bug.cgi?id=2073157 [WEB]
- https://github.com/keycloak/keycloak [PACKAGE]
- https://herolab.usd.de/security-advisories/usd-2021-0033 [WEB]