A flaw was found in Keycloak 3.4.3.Final, 4.0.0.Beta2, 4.3.0.Final. When using "response_mode=form_post" it is possible to inject arbitrary Javascript-Code via the "state"-parameter in the authentication URL. This allows an XSS-Attack upon succesfully login.
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2 for RHEL 6 Via RHSA-2018:3592 https://access.redhat.com/errata/RHSA-2018:3592
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2 for RHEL 7 Via RHSA-2018:3593 https://access.redhat.com/errata/RHSA-2018:3593
This issue has been addressed in the following products: Red Hat Single Sign-On 7.2.5 zip Via RHSA-2018:3595 https://access.redhat.com/errata/RHSA-2018:3595
This vulnerability is out of security support scope for the following product: * Red Hat Mobile Application Platform Please refer to https://access.redhat.com/support/policy/updates/rhmap for more details