The ”Groups” dropdown in ”Add user” is not escaped properly and can be exploited. Steps to reproduce Start a vanilla keycloak (or an existing one): docker run -p 8080:8080 -e KEYCLOAK_USER=admin -e KEYCLOAK_PASSWORD=admin quay.io/keycloak/keycloak:16.1.0 Login and go to Groups. Click New to add a new group. Add a group using the payload below: "><img src=x onerror=prompt(location)> Go to Users and click Add user. Click Groups and enter a character, as o, to display the group. This will trigger our prompt from the group name. Maybe also other places has this issue? This is probably an easy fix for you, but in case you want me to look into it I can do it. I’m jxn0 on github.
I have replicated this issue with latest upstream keycloak 16.0.1 and latest RHSSO i.e. 7.5
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 7 Via RHSA-2022:6782 https://access.redhat.com/errata/RHSA-2022:6782
This issue has been addressed in the following products: Red Hat Single Sign-On 7.5 for RHEL 8 Via RHSA-2022:6783 https://access.redhat.com/errata/RHSA-2022:6783
This issue has been addressed in the following products: Red Hat Single Sign-On Via RHSA-2022:6787 https://access.redhat.com/errata/RHSA-2022:6787
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 8 Via RHSA-2022:7410 https://access.redhat.com/errata/RHSA-2022:7410
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 7 Via RHSA-2022:7409 https://access.redhat.com/errata/RHSA-2022:7409
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6 for RHEL 9 Via RHSA-2022:7411 https://access.redhat.com/errata/RHSA-2022:7411
This issue has been addressed in the following products: Red Hat Single Sign-On 7.6.1 Via RHSA-2022:7417 https://access.redhat.com/errata/RHSA-2022:7417
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-0225