keycloak-services is vulnerable to Cross-Site Scripting (XSS)
73
High Risk
Keycloak validates client redirect URIs case-sensitively, so a crafted javascript: or data: scheme using mixed case slips past the scheme blocklist. A user who can register or manage clients can store a malicious redirect URI that executes script in the Keycloak origin. The payload fires when a victim follows the crafted link, such as during logout or in the Admin Console, enabling cross-site scripting. The fix makes URI scheme validation case-insensitive.
You are affected if you are using a version that falls within the vulnerable range and untrusted users can register or manage clients with their own redirect URIs.
keycloak-services is vulnerable to Cross-Site Scripting (XSS) in versions 1.0.1.Final - 26.6.3.
Upgrade the org.keycloak:keycloak-services library to the patch version.
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.

SOC 2Compliant
ISO 27001Compliant