In Select2 through 4.0.5, as used in Snipe-IT and other products, rich selectlists allow XSS. This affects use cases with Ajax remote data loading when HTML templates are used to display listbox data. Reference: https://github.com/select2/select2/issues/4587 https://github.com/snipe/snipe-it/pull/6831 Commit: https://github.com/snipe/snipe-it/pull/6831/commits/5848d9a10c7d62c73ff6a3858edfae96a429402a
To be noted: the commit above is not a fix for select2, but a workaround used by snipe-it, which could be applicable to other project, waiting for a select2 fix.
Re-opening this flaw in order to analyze RHSSO w.r.t. select2 vulnerability : Bug URL: https://issues.jboss.org/browse/KEYCLOAK-12391 During a penetration test we obserbed an issue with the used dependency to select2 (JS/NPM): https://snyk.io/vuln/SNYK-JS-SELECT2-456562. Therefore it is required to upgrade the library to a version >= 4.0.8.
From further verification I can confirm there is no actual fix in Select2 with regards to https://snyk.io/vuln/SNYK-JS-SELECT2-456562. It is simply updating documentation and examples recommending that inputs are sanitized properly. The dependency is used with the Keycloak admin console, which is built on Angular. Angular automatically performs the required sanitising. As such there is no vulnerability in this regards and we are already doing what the updated documentation and examples from Select2 recommends. As such updating Select2 has no value or affect in this regards. Hence I am marking RHSSO 7 as not affected
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2016-10744