Miggo Logo
Miggo Vulnerability Database
CVE-2022-1274

CVE-2022-1274: HTML Injection in Keycloak Admin REST API

5.4

CVSS Score
3.1

Basic Information

CVE ID
CVE-2022-1274
GHSA ID
GHSA-m4fv-gm5m-4725
EPSS Score
0.72823%
CWE
CWE-79
Published
3/1/2023
Updated
12/22/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.keycloak:keycloak-servicesmaven< 20.0.520.0.5

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from two key points: 1) The execute-actions-email endpoint (UserResource.java) accepted unvalidated 'actions' parameters that were directly embedded into emails. The patch added RequiredActionsValidator to block invalid actions. 2) The email template (info.ftl) originally lacked HTML escaping for required action messages, as shown by the addition of kcSanitize in the patch. These two points allowed HTML injection through both input validation gaps and output encoding failures.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

T** `*x**ut*-**tions-*m*il` *n*point o* t** K*y*lo*k **min R*ST *PI *llows * m*li*ious **tor to s*n* *m*ils *ont*inin* p*is*in* links to K*y*lo*k us*rs.

Reasoning

T** vuln*r**ility st*mm** *rom two k*y points: *) T** *x**ut*-**tions-*m*il *n*point (Us*rR*sour**.j*v*) ****pt** unv*li**t** '**tions' p*r*m*t*rs t**t w*r* *ir**tly *m****** into *m*ils. T** p*t** ***** R*quir****tionsV*li**tor to *lo*k inv*li* **ti