Description
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073157
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
https://herolab.usd.de/security-advisories/usd-2021-0033/
Related Vulnerabilities
CVE-2022-26477 Vulnerability in maven package org.apache.systemds:systemds
CVE-2019-20364 Vulnerability in maven package org.igniterealtime.openfire:xmppserver
CVE-2021-21627 Vulnerability in maven package org.jenkins-ci.plugins:libvirt-slave
CVE-2022-25854 Vulnerability in npm package @yaireo/tagify
CVE-2021-32730 Vulnerability in maven package org.xwiki.platform:xwiki-platform-administration-ui