Home > Vulnerability Database > CVE-2022-1274

Mend.io Vulnerability Database

CVE-2022-1274

Good to know:

Date: March 28, 2023

A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users. After conducting further research, Mend has determined that all versions of keycloak-services up to version 20.0.4 are vulnerable to CVE-2022-1274.

Language: Java

Severity Score

5.4

Related Resources (9)

Url: https://herolab.usd.de/security-advisories/usd-2021-0033/

Url: https://github.com/keycloak/keycloak/commit/fc3c61235fa30132123c17ed8702ff7b3a672fe9

Url: https://github.com/keycloak/keycloak/pull/16764

Url: https://bugzilla.redhat.com/show_bug.cgi?id=2073157

Url: https://herolab.usd.de/security-advisories/usd-2021-0033

Url: https://github.com/keycloak/keycloak

Url: https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725

Url: https://nvd.nist.gov/vuln/detail/CVE-2022-1274

Url: https://www.mend.io/vulnerability-database/CVE-2022-1274

Severity Score

5.4

Weakness Type (CWE)

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CWE-79

Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)

CWE-80

Top Fix

Upgrade Version

Upgrade to version org.keycloak:keycloak-services:20.0.5

Learn More

CVSS v3.1

Base Score:	5.4
Attack Vector (AV):	NETWORK
Attack Complexity (AC):	LOW
Privileges Required (PR):	LOW
User Interaction (UI):	REQUIRED
Scope (S):	CHANGED
Confidentiality (C):	LOW
Integrity (I):	LOW
Availability (A):	NONE

Mend.io Vulnerability Database

We found results for “”

CVE-2022-1274

Good to know:

Date: March 28, 2023

Language: Java

Severity Score

Related Resources (9)

Severity Score

Weakness Type (CWE)

Top Fix

Upgrade Version

CVSS v3.1

Do you need more information?