CVE-2022-0225

Name of the Vulnerable Software and Affected Versions Keycloak versions prior to 16.0.1

Description A flaw was found in Keycloak, allowing a privileged attacker to use a malicious payload as the group name while creating a new group from the admin console. This leads to a stored Cross-site scripting (XSS) attack, enabling the execution of malicious scripts in the admin console by abusing the groups' dropdown functionality. Successful attacks can result in a privileged attacker loading a XSS script and stealing data from other users.

Recommendations For Keycloak versions prior to 16.0.1, consider disabling the group creation functionality in the admin console as a temporary workaround until a patch is available. Restrict access to the admin console to minimize the risk of exploitation. Avoid using the group name field in the admin console until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.