CyberSec.Space Logo
Back to CVE Browser

CVE-2021-20195

CRITICAL
9.6
CVSS Severity Score
EPSS Score0.0590%
EPSS Percentile13.08th
PublishedMay 28, 2021
Last ModifiedNov 21, 2024

Vulnerability Description

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Affected Platforms (CPE)

📦
Redhat

Keycloak

< 12.0.3

References & Advisories

🔗 https://bugzilla.redhat.com/show_bug.cgi?id=1919143
🔗 https://bugzilla.redhat.com/show_bug.cgi?id=1919143

Related Vulnerabilities

CVE-2026-4638910.0

UDS Identity Config builds the Keycloak configuration image (realm, plugins, theme, truststore, JARs) consumed by UDS Core's Ident...

CVE-2017-74749.8

It was found that the Keycloak Node.js adapter 2.5 - 3.0 did not handle invalid tokens correctly. An attacker could use this flaw...

CVE-2019-149109.8

A vulnerability was found in keycloak 7.x, when keycloak is configured with LDAP user federation and StartTLS is used instead of S...

CVE-2020-17319.1

A flaw was found in all versions of the Keycloak operator, before version 8.0.2,(community only) where the operator generates a ra...