Advisory ID: usd-2021-0033 Product: Password Keycloak Affected Versions: < 20.0.5 Vulnerability Type: CWE-74: Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') Security Risk: LOW Vendor: Red Hat Vendor URL: https://www.keycloak.org/security.html CVE number: CVE-2022-1274 Affected Component(s): PUT /{realm}/users/{id}/execute-actions-email (see documentation https://www.keycloak.org/docs-api/15.0/rest-api/index.html) Summary: The "execute-actions-email" endpoint of the Keycloak Admin REST API allows a malicious actor to send emails containing phishing links to Keycloak users. Fix: HTML special characters should be encoded before the application embeds them into emails. Timeline: - 2021-12-14: Vulnerability reported to the Responsibility Disclosure team of usd AG - 2021-06-14: Sent reminder to vendor - 2023-02-27: Issue fixed in Keycloak 20.0.5 - 2023-12-22: Publish advisory Credits: Found by Marcus Nilsson of usd AG.