CVE-2022-1274

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description A flaw was found in the "execute-actions-email" endpoint of Keycloak, allowing arbitrary HTML to be injected into emails sent to Keycloak users. This issue can be misused to perform phishing or other attacks against users, essentially conducting a cross-site scripting (XSS) attack. The flaw is related to inadequate protection measures of the web page structure.

Recommendations As a temporary workaround, consider disabling the execute-actions-email endpoint until a patch is available. Restrict access to this endpoint to minimize the risk of exploitation. Avoid using this endpoint to send emails containing potentially malicious content until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.