This is a summary of the AI-generated 10-question deep analysis. The full version (longer answers, follow-up Q&A, related CVEs) requires login. Read the full analysis β
Q1What is this vulnerability? (Essence + Consequences)
π¨ **Essence**: Reflected XSS in Keycloak's `clients-registrations` endpoint. π **Consequences**: Malicious JS executes in victim's browser. π₯ **Impact**: Session hijacking, credential theft, or defacement.β¦
π‘οΈ **CWE**: CWE-79 (Improper Neutralization of Input During Web Page Generation). π **Flaw**: POST request parameters (JSON keys) are reflected in error messages without sanitization.β¦
π’ **Vendor**: Red Hat Keycloak. π¦ **Component**: `keycloak-services`. π **Affected Versions**: Before 18.0.0 AND after 10.0.0. π **Scope**: Impacts ALL available realms on the instance.
Q4What can hackers do? (Privileges/Data)
π΅οΈ **Privileges**: No authentication required! π― **Data Access**: Can steal session cookies, tokens, or personal data of logged-in users. π **Action**: Execute arbitrary JavaScript in the context of the victim's browser.
Q5Is exploitation threshold high? (Auth/Config)
β‘ **Threshold**: LOW. π« **Auth**: None required. π€ **Trigger**: Simple POST request with a malformed JSON key. π **Access**: Publicly accessible endpoint. Anyone can trigger it!
Q6Is there a public Exp? (PoC/Wild Exploitation)
π **Exploits**: YES. Multiple PoCs available on GitHub (e.g., ndmalc, Cappricio-Securities). π οΈ **Tools**: Scanners like Nuclei and custom Python tools exist.β¦
π **Check**: Send POST to `/clients-registrations` with a JSON key containing HTML/JS. π **Observe**: Look for reflected script in `text/html` response.β¦
π‘οΈ **Fix**: Upgrade Keycloak to version **18.0.0 or later**. β **Official**: Red Hat has addressed this in newer releases. π¦ **Action**: Apply vendor patches immediately.
Q9What if no patch? (Workaround)
π§ **Workaround**: If patching isn't possible, implement WAF rules to block POST requests with suspicious JSON keys. π« **Filter**: Sanitize input at the reverse proxy level.β¦