Home > Vulnerability Database > CVE-2021-20195

Mend.io Vulnerability Database

CVE-2021-20195

Good to know:

Date: May 28, 2021

A flaw was found in keycloak in versions before 13.0.0. A Self Stored XSS attack vector escalating to a complete account takeover is possible due to user-supplied data fields not being properly encoded and Javascript code being used to process the data. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.

Language: Java

Severity Score

9.6

Related Resources (4)

Url: https://nvd.nist.gov/vuln/detail/CVE-2021-20195

Url: https://github.com/keycloak/keycloak/commit/717d9515fa131e3d8c8936e41b2e52270fdec976

Url: https://bugzilla.redhat.com/show_bug.cgi?id=1919143

Url: https://www.mend.io/vulnerability-database/CVE-2021-20195

Severity Score

9.6

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Encoding or Escaping of Output

CWE-116

Improper Input Validation

CWE-20

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-core:13.0.0

Learn More

CVSS v3.1

Base Score:	9.6
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	NONE
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	HIGH
Integrity (I):	HIGH
Availability (A):	HIGH

CVSS v2

Base Score:	6.8
Access Vector (AV):	NETWORK
Access Complexity (AC):	MEDIUM
Authentication (AU):	NONE
Confidentiality (C):	PARTIAL
Integrity (I):	PARTIAL
Availability (A):	PARTIAL
Additional information:

Mend.io Vulnerability Database

We found results for “”

CVE-2021-20195

Good to know:

Date: May 28, 2021

Language: Java

Severity Score

Related Resources (4)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

CVSS v2

Do you need more information?