Description
A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
Remediation
References
https://bugzilla.redhat.com/show_bug.cgi?id=2073157
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725
https://herolab.usd.de/security-advisories/usd-2021-0033/
Related Vulnerabilities
CVE-2018-14042 Vulnerability in maven package org.webjars.bowergithub.twbs:bootstrap
CVE-2022-45921 Vulnerability in maven package io.fusionauth:fusionauth-java-client
CVE-2022-46682 Vulnerability in maven package org.jenkins-ci.plugins:plot
CVE-2020-6462 Vulnerability in maven package org.webjars.npm:electron
CVE-2023-22457 Vulnerability in maven package org.xwiki.contrib:application-ckeditor-ui