​
DirectorySecurity Advisories
Sign In
Security Advisories

CGA-296m-q8jg-7vqc

Published

Last updated

https://images.chainguard.dev/security/CGA-296m-q8jg-7vqc
Package

keycloak-fips

Latest Update
Fixed
Fixed Version

24.0.3-r0

Aliases
  • CVE-2023-6717
  • GHSA-8rmm-gm28-pj8q

Severity

6.0

Medium

CVSS V3

Summary

Keycloak Cross-site Scripting (XSS) via assertion consumer service URL in SAML POST-binding flow

Description

Keycloak allows arbitrary URLs as SAML Assertion Consumer Service POST Binding URL (ACS), including JavaScript URIs (javascript:).

Allowing JavaScript URIs in combination with HTML forms leads to JavaScript evaluation in the context of the embedding origin on form submission.

Acknowledgements:

Special thanks to Lauritz Holtmann for reporting this issue and helping us improve our project.

References

Updates

Safe Source for Open Sourceâ„¢
Media KitContact Us
© 2024 Chainguard. All Rights Reserved.
Private PolicyTerms of Use

Product

Chainguard Images

Why Chainguard

Container Image SecurityVulnerability RemediationCompliance and Risk MitigationSoftware Supply Chain SecurityAI/ML Security

Customers

Customer StoriesChainguard Love

Company

About UsOpen SourceCareersNewsroomLegal

Resources

Unchained BlogResearchEventsTrust CenterDocumentation