CVE-2019-10199

An attacker crafts a malicious page on an untrusted domain that sends a cross-origin request to the Keycloak account console. Because the account console does not perform adequate header checks (such as verifying the Origin or Referer header), the request is accepted as legitimate [CWE-352]. The attacker must trick an authenticated Keycloak user into visiting the malicious page (e.g., via phishing or a cross-site scripting gadget on another site). Once the victim's browser sends the forged request, the account console processes it on behalf of the authenticated user, enabling unauthorized operations [ref_id=1].

The advisory does not specify exact file paths or function names. The vulnerability resides in the Keycloak account console component, which handles authenticated user operations. The account console failed to validate incoming HTTP headers (such as Origin or Referer) on certain requests [ref_id=1].

The advisory states that Keycloak's account console up to version 6.0.1 did not perform adequate header checks. No patch diff is included in the bundle, but the remediation would involve adding server-side validation of the Origin or Referer HTTP header (or a CSRF token) to distinguish same-origin requests from cross-origin ones [CWE-20]. This closes the CSRF vector by rejecting requests that lack a valid origin or token, ensuring that only intentionally submitted requests from the legitimate application context are processed [CWE-352].