The Keycloak server is vulnerable to a Self Stored XSS attack vector, which can be escalated to a complete account takeover using additional attack techniques as specified below. Specifically, the Account page does not HTML-encode the user first name, and last name, which means a malicious HTML code, which executes malicious Javascript code, can be embedded into the Account page. Even though the malicious Javascript code is linked to the attacker user (Self-XSS), it can be exploited on the Keycloak admin browser, using the Impersonation functionality, and thus, the attacker is able to compromise Keycloak. https://issues.redhat.com/browse/KEYCLOAK-16890
Acknowledgments: Name: Amit Laish (GE Digital, Cyber Security Lab)
Recommendations: HTML encode the user first name, and last name, so when the browser receives it from the server, it is embedded into the HTML page and is not executed. Make sure to use CSP (Content Security Policy) browser protection mechanism. Reimplement the realms separation in such a manner that each realm is accessible by different subdomain. By doing so, SOP (Same Origin Policy) browser protection mechanism limits the attacker abilities, for example, the attacker should not be able to read the responses for its malicious requests in XSS scenarios.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-20195