Original report

From @mposolda

In the past we had CVE due the fact it was possible to upload
javascripts directly through admin console. The ability to deploy
scripts through admin console was deprecated and in Keycloak 18 (RH-SSO
7.6) removed entirely for:

    Javascript authorization policy
    Script based authenticator
    OIDC protocol mapper

However it seems we have this ability still enabled for javascript based
protocol mapper for SAML clients. I've checked with latest Keycloak and
also with RH-SSO 7.6 and RH-SSO 7.5 that it is still possible to
directly upload javascripts with the admin console with the usage of
SAML javascript protocol mapper. This is possible even if SCRIPTS
feature is disabled (and also UPLOAD_SCRIPTS in RH-SSO 7.5), which makes
it even worse though... So administrator of SAML clients still has the
ability to run arbitrary javascript code on the server (for example to
read content of the file /etc/passwd and log it somewhere etc)

IMO this can be classified as CVE and looks like something, which should
be fixed soon and backported to RH-SSO 7.6 (I guess also 7.5 z-stream,
not sure about 7.4 and if we are still required to support that one as
z-stream).