CVE-2024-7260

Name of the Vulnerable Software and Affected Versions Keycloak (affected versions not specified)

Description An open redirect issue exists in Keycloak, where a specially crafted URL can be constructed to trick users into visiting a malicious webpage. The referrer and referrer uri parameters can be manipulated to make a trusted URL appear safe, when in fact it redirects to a malicious server. This can lead to successful phishing attacks or other types of attacks. A malicious actor can send a crafted URL to a Keycloak admin via email, triggering the vulnerability when the user visits the page and clicks the link. The malicious actor can also obfuscate the redirect uri using URL encoding to hide the text of the actual malicious website domain.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.