PT-2024-35946 · Unknown · @Dapperduckling/Keycloak-Connector-Server
Highduckboy81
·
Published
2024-11-25
·
Updated
2024-12-01
·
CVE-2024-53843
CVSS v3.1
8.1
High
| Vector | AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
Name of the Vulnerable Software and Affected Versions:
@dapperduckling/keycloak-connector-server versions prior to 2.5.5
Description:
A Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the authentication flow of the application due to improper sanitization of the URL parameters. This allows an attacker to craft a malicious URL to execute arbitrary JavaScript in the browser of a victim who visits the link. Any application utilizing this authentication library is vulnerable, and users are at risk if they can be lured into clicking on a crafted malicious link.
Recommendations:
For versions prior to 2.5.5, upgrade to version 2.5.5 or later to ensure proper sanitization and escaping of user input in the affected URL parameters.
If upgrading is not immediately possible, consider the following workarounds:
- Employ a Web Application Firewall (WAF) to block malicious requests containing suspicious URL parameters.
- Apply input validation and escaping directly within the application’s middleware or reverse proxy layer, specifically targeting the affected parameters.
Exploit
Fix
XSS
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
@Dapperduckling/Keycloak-Connector-Server