Listen to this Post
The CVE-2023-6484 vulnerability operates through the `error_description` query parameter within Keycloak’s account console. When an error page is triggered, the application directly embeds the value of this parameter into the page’s content without sufficient validation or sanitization. Although the output is HTML-encoded, preventing traditional cross-site scripting (XSS) attacks, it is not subjected to URL validation. This allows an attacker to craft a malicious URL containing a completely fabricated error message. When a victim visits this link, the deceptive text is displayed within the legitimate and trusted Keycloak interface. This flaw enables phishing campaigns by presenting false information, such as fake technical support contact details or malicious URLs, tricking users into believing the message is authentic and originating from the system itself.
Platform: Keycloak
Version: < 22.0.4
Vulnerability: URL Redirection
Severity: Medium
date: 2024-02-13
Prediction: Patch 2024-02-20
What Undercode Say:
curl "http://keycloak.example.com/realms/myrealm/account/?error_description=Fake%20Support:%201-800-123-4567"
<!-- Rendered in trusted page context --> <div class="error-panel"> Fake Support: 1-800-123-4567 </div>
How Exploit:
Craft malicious URLs with deceptive `error_description` content.
Distribute phishing links to target users.
Display fake support info in a trusted UI.
Protection from this CVE
Update to Keycloak 22.0.4.
Implement strict URL validation.
Sanitize all user-input parameters.
Impact:
User Deception Phishing
Brand Reputation Damage
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
