CVE-2023-6717

Name of the Vulnerable Software and Affected Versions: Keycloak (affected versions not specified)

Description: A flaw was found in the SAML client registration in Keycloak that could allow an administrator to register malicious JavaScript URIs as Assertion Consumer Service POST Binding URLs (ACS), posing a Cross-Site Scripting (XSS) risk. This issue may allow a malicious admin in one realm or a client with registration access to target users in different realms or applications, executing arbitrary JavaScript in their contexts upon form submission. The vulnerability exists due to the lack of protection of the web page structure, which can enable unauthorized access and harmful actions, compromising the confidentiality, integrity, and availability of the complete Keycloak instance.

Recommendations: At the moment, there is no information about a newer version that contains a fix for this vulnerability.