Keycloak Stored Cross-Site Scripting Vulnerability in Organization Selection Login Page

A stored cross-site scripting vulnerability has been identified in the organization selection login page of Keycloak. This issue allows remote attackers with 'manage-realm' or 'manage-organizations' administrative privileges to inject malicious JavaScript that executes in the context of the user's browser. The vulnerability arises because the 'organization.alias' is inserted into an inline JavaScript 'onclick' handler, bypassing proper HTML escaping. Exploitation of this flaw could lead to session theft, unauthorized actions on behalf of the user, or additional attacks against users in the affected realm.

Impact

Exploitation of this vulnerability allows for the execution of arbitrary JavaScript in the context of the user's browser, potentially leading to session theft, unauthorized account actions, or further attacks against users of the affected realm.

Remediation

To mitigate this vulnerability, restrict access to the Keycloak administration console and login pages to trusted networks, preferably through a VPN or by configuring firewall rules. Ensure that only trusted administrators are given 'manage-realm' or 'manage-organizations' privileges in Keycloak. Regularly review and audit administrative roles to reduce the risk of unauthorized access.