CVE-2021-20323

Vulnerability

A POST-based reflected Cross-Site Scripting (XSS) vulnerability exists in Keycloak [1]. The flaw allows an attacker to inject malicious scripts via specially crafted HTTP POST requests. Affected versions include all Keycloak releases prior to the fix included in version 15.0.2 [1]. The vulnerability is reachable when the application processes unsanitized input from POST parameters.

Exploitation

An attacker can exploit this vulnerability without prior authentication by crafting a malicious POST request containing a JavaScript payload in a vulnerable parameter [1]. The attacker must then trick a victim into submitting the crafted request (e.g., via a link or form submission). No write access or race condition is required; the attack relies solely on user interaction to trigger the reflected payload.

Impact

Successful exploitation results in arbitrary JavaScript execution in the victim's browser within the security context of the Keycloak application [1]. This can lead to information disclosure, session hijacking, or other client-side attacks, potentially compromising the confidentiality and integrity of user data.

Mitigation

The vulnerability is fixed in Keycloak version 15.0.2 [1]. Users should upgrade to this version or later. No workaround is documented in the available references. Systems running older, unsupported versions of Keycloak remain vulnerable and should be upgraded immediately.