Name of the Vulnerable Software and Affected Versions:

Keycloak (affected versions not specified)

Description:

A flaw exists in Keycloak where the account console and other pages accept arbitrary text in the `error description` query parameter. This text is directly rendered in error pages without validation or sanitization. While HTML encoding prevents cross-site scripting (XSS), an attacker can craft URLs with misleading messages, such as fake support phone numbers or URLs, which are displayed within the trusted Keycloak user interface. This creates a phishing vector, potentially tricking users into contacting malicious actors.

Recommendations:

At the moment, there is no information about a newer version that contains a fix for this vulnerability.