Description
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073157
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
https://herolab.usd.de/security-advisories/usd-2021-0033/
Related Vulnerabilities
CVE-2020-26272 Vulnerability in maven package org.webjars.npm:electron
CVE-2017-11555 Vulnerability in maven package org.webjars.npm:node-sass
CVE-2022-28731 Vulnerability in maven package org.apache.jspwiki:jspwiki-main
CVE-2023-41329 Vulnerability in maven package org.wiremock:wiremock
CVE-2021-46708 Vulnerability in maven package com.microfocus.webjars:swagger-ui-dist