CVE-2020-1697
XSS in Keycloak
5.4
MEDIUM
CVSS 3.1
EPSS 0.28%
Description
It was found in all keycloak versions before 9.0.0 that links to external applications (Application Links) in the admin console are not validated properly and could allow Stored XSS attacks. An authed malicious user could create URLs to trick users in other realms, and possibly conduct further attacks.
How to fix CVE-2020-1697
To remediate CVE-2020-1697, upgrade the affected package to a fixed version below.
- —upgrade to 9.0.0 or later
Is CVE-2020-1697 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 9.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.4 | CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |