CVE-2018-14655

Name of the Vulnerable Software and Affected Versions Keycloak versions 3.4.3.Final through 4.3.0.Final

Description A flaw in Keycloak allows the injection of arbitrary Javascript code via the state-parameter in the authentication URL when using response mode=form post. This enables a cross-site scripting (XSS) attack upon successful login.

Recommendations For Keycloak versions 3.4.3.Final through 4.3.0.Final, consider disabling the use of response mode=form post until a patch is available to prevent the injection of arbitrary Javascript code via the state-parameter. Restrict access to the authentication URL to minimize the risk of exploitation. Avoid using the state-parameter in the affected authentication URL until the issue is resolved.