If a JBoss Keycloak application has configured * as a permitted web origin in the Keycloak administrative console, crafted requests to the login-status-iframe.html endpoint can inject arbitrary Javascript into the generated HTML code via the "origin" query parameter, leading to a cross-site scripting vulnerability.
Acknowledgements: This issue was discovered by Florian Weimer of Red Hat Product Security.
Statement: This issue does not affect any supported Red Hat products.