org.keycloak:keycloak-themes 2.3.0.CR1

Direct Vulnerabilities

Known vulnerabilities in the org.keycloak:keycloak-themes package. This does not include vulnerabilities belonging to this package’s dependencies.

Fix vulnerabilities automatically

Snyk's AI Trust Platform automatically finds the best upgrade path and integrates with your development workflows. Secure your code at zero cost.

Fix for free

Vulnerability	Vulnerable Version
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in `select-organization.ftl` - shown on the organization selection login page - since the `organization.alias` value is inserted into an inline JavaScript `onclick` handler. A user with `manage-realm` or `manage-organizations` permissions can execute arbitrary JavaScript in a user's browser by creating an organization with a malicious alias containing a script. This is only exploitable if the Organizations feature is enabled for the target realm. How to fix Cross-site Scripting (XSS)? A fix was pushed into the `master` branch but not yet published.	[0,)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) due to improper user-input sanitization in the `oob` OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-themes` to version 21.0.0 or higher.	[,21.0.0)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via the `execute-actions-email` endpoint in the admin REST API. Users can inject HTML into emails sent to other users. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-themes` to version 20.0.4 or higher.	[,20.0.4)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS). It allows a privileged attacker to execute malicious scripts in the admin console, abusing the default roles functionality. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-themes` to version 19.0.2 or higher.	[,19.0.2)
M Cross-site Scripting (XSS) Affected versions of this package are vulnerable to Cross-site Scripting (XSS) via `loggedInUserName` and `referrerUri`. How to fix Cross-site Scripting (XSS)? Upgrade `org.keycloak:keycloak-themes` to version 13.0.0 or higher.	[0,13.0.0)

Vulnerability

Vulnerable Version

Cross-site Scripting (XSS)

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) in select-organization.ftl - shown on the organization selection login page - since the organization.alias value is inserted into an inline JavaScript onclick handler. A user with manage-realm or manage-organizations permissions can execute arbitrary JavaScript in a user's browser by creating an organization with a malicious alias containing a script. This is only exploitable if the Organizations feature is enabled for the target realm.