CyberAlerts is shutting down on June 30th, 2025. Thank you for your support!

CVE-2024-4028: Keycloak-core: stored xss in keycloak when creating a items in admin console

Description

A vulnerability was found in Keycloak. This issue may allow a privileged attacker to use a malicious payload as the permission while creating items (Resource and Permissions) from the admin console, leading to a stored cross-site scripting (XSS) attack.

Classification

CVE ID: CVE-2024-4028

Affected Products

Vendor: Red Hat

Product: Red Hat Build of Keycloak

Exploit Prediction Scoring System (EPSS)

EPSS Score: 0.04% (probability of being exploited)

EPSS Percentile: 6.77% (scored less or equal to compared to others)

EPSS Date: 2025-03-19 (when was this score calculated)

References

https://access.redhat.com/security/cve/CVE-2024-4028
https://bugzilla.redhat.com/show_bug.cgi?id=2276418

Timeline

2025-02-19 00:30:18 UTC
CVE

Keycloak-core: stored xss in keycloak when creating a items in admin console
2025-02-20 21:15:17 UTC
Github Advisory Database (Maven)

[org.keycloak:keycloak-core] Keycloak allows cross-site scripting (XSS)