VYPR
Moderate severityNVD Advisory· Published Dec 14, 2023· Updated Feb 25, 2026

Keycloak: reflected xss via wildcard in oidc redirect_uri

CVE-2023-6134

Description

A flaw was found in Keycloak that prevents certain schemes in redirects, but permits them if a wildcard is appended to the token. This issue could allow an attacker to submit a specially crafted request leading to cross-site scripting (XSS) or further attacks. This flaw is the result of an incomplete fix for CVE-2020-10748.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.keycloak:keycloak-servicesMaven
< 23.0.323.0.3

Affected products

9
  • Red Hat/Red Hat build of Keycloak 22.0.7v5
    cpe:/a:redhat:build_keycloak:22
  • cpe:/a:redhat:build_keycloak:22::el9
    Range: 22-9
  • Red Hat/Single Sign Oncpe-rescue5 versions
    cpe:/a:redhat:red_hat_single_sign_on:7.6+ 4 more
    • cpe:/a:redhat:red_hat_single_sign_on:7.6
    • cpe:/a:redhat:red_hat_single_sign_on:7.6.6
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el7range: 0:18.0.12-1.redhat_00001.1.el7sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el8range: 0:18.0.12-1.redhat_00001.1.el8sso
    • cpe:/a:redhat:red_hat_single_sign_on:7.6::el9range: 0:18.0.12-1.redhat_00001.1.el9sso
  • Red Hat/RHEL-8 based Middleware Containersv5
    cpe:/a:redhat:rhosemc:1.0::el8
    Range: 7.6-41

Patches

Vulnerability mechanics

References

18

News mentions

0

No linked articles in our index yet.