A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
Details
This issue is the result of code found in the exception here: https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
Steps to reproduce
When using the legacy admin console:
- Sign in as Admin user in first tab.
- In that tab create new user in keycloak admin section > intercept user creation request and modify it by including malicious js script there (in username field).
- Sign in as newly created user in second tab (same browser window but second tab).
- Navigate back to first tab where you are signed in as admin, navigate to admin console which lists all application users.
- Choose any user (except newly created malicious one) – modify anything for that user in his settings. E.g. navigate to credentials tab and set new credentials for him. Also set new password as temporary.
- After update for that user is made, use impersonate option on that modified user.
- You should see window with form which requires providing new credentials – fill it and submit request.
- Just after submiting request user will get notified that “You are already authenticated as different user ‘[user + payload]’ in this session. Please sign out first.” And malicious payload will be executed instantly.
References
A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability.
Details
This issue is the result of code found in the exception here: https://github.com/keycloak/keycloak/blob/48835576daa158443f69917ac309e1a7c951bc87/services/src/main/java/org/keycloak/authentication/AuthenticationProcessor.java#L1045
Steps to reproduce
When using the legacy admin console:
References