CVE-2024-4028

What the vulnerability is

CVE-2024-4028 is a stored cross-site scripting (XSS) vulnerability in Keycloak's admin console. The root cause is insufficient input sanitization of the permission field when creating resources or permissions. A privileged attacker can inject arbitrary JavaScript code that gets stored and executed when the admin interface renders the malicious permission [1][2].

How it is exploited

Exploitation requires the attacker to have privileged access to the Keycloak admin console. The attacker crafts a malicious payload as the permission value while creating a new resource or permission through the admin interface. This payload is stored in the backend and later executed in the browser of any administrator viewing the affected item [4].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the admin console. This could lead to session hijacking, administrative actions performed on behalf of the victim, or further compromise of the Keycloak instance [1][2].

Mitigation

As of the publication date, Red Hat has acknowledged the vulnerability and recommends updating to a patched version of Keycloak. Users should monitor official channels for the release of a fix and apply it promptly. No workarounds have been documented [1].