It was found that Keycloak would permit a user with only view-profile role to manage the resources in the new account console, allowing access and modification of data the user was not intended to have.
A flaw was found in Keycloak, where it is possible to add unsafe schemes for the redirect_uri parameter. This flaw allows an attacker to perform a Cross-site scripting attack.
A flaw was found in Keycloak, where the NodeJS adapter did not support the verify-token-audience. This flaw results in some users having access to sensitive information.
A flaw was found in Keycloak's data filter, where it allowed the processing of data URLs in some circumstances. This flaw allows an attacker to conduct cross-site scripting or further attacks.
A flaw in the reset credential flow in keycloak allows an attacker to gain unauthorized access to the application.
A flaw in Keycloak allows a malicious user that is currently logged in, to see the personal information of a previously logged-out user in the account manager section.
A logged exception in the HttpMethod class may leak the password given as parameter. The highest threat from this vulnerability is to data confidentiality.
A flaw was found in Keycloak’s user-managed access interface, where it would permit a script to be set in the UMA policy. This flaw allows an authenticated attacker with UMA permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the user running the application.
A flaw was found in the Keycloak admin console, where the realm management interface permits a script to be set via the policy. This flaw allows an attacker with authenticated user and realm management permissions to configure a malicious script to trigger and execute arbitrary code with the permissions of the application user.
An attacker could use the 'remove devices form' to post different credential IDs and possibly remove MFA devices for other users.
A vulnerability was found in all versions of Keycloak where the pages on the Admin Console area of the application are completely missing general HTTP security headers in HTTP-responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other problems. The flaws unnecessarily make the servers more prone to Clickjacking, channel downgrade attacks and other similar client-based attack vectors.
A flaw was found in keycloak. When configuring a conditional OTP Authentication Flow as a post login flow of an IDP, the failure login events for OTP are not being sent to the brute force protection event queue. So BruteForceProtector does not handle these events.
Links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authenticated malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
It was found that keycloak exposes internal adapter endpoints in org.keycloak.constants.AdapterConstants, which can be invoked via a specially-crafted URL. This vulnerability could allow an attacker to access unauthorized information.