CVE-2020-1697: 
Java vulnerability analysis and mitigation

A stored Cross-Site Scripting (XSS) vulnerability was discovered in Keycloak versions before 9.0.0, identified as CVE-2020-1697. The vulnerability exists in the Admin Console application where links to external applications (Application Links) are not validated properly. This security flaw was discovered in February 2020 and allows an authenticated malicious user to create URLs that could trick users in other realms and potentially conduct further attacks (NVD).

The vulnerability affects the BaseURL parameter within the Clients settings page of the admin console application. The parameter accepts any characters without proper validation, allowing the insertion of malicious JavaScript URLs. The vulnerability has been assigned a CVSS v3.1 base score of 5.4 (Medium) by NIST with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N. Red Hat assessed it with a slightly higher CVSS score of 6.1 (Medium) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N (NVD).

The vulnerability allows authenticated attackers to perform stored XSS attacks through the client settings via application links. This could potentially lead to the execution of arbitrary JavaScript code in the context of other users' browsers who access the affected admin console pages (Red Hat CVE).

The vulnerability was fixed in Keycloak version 9.0.0. Users are advised to upgrade to this version or later to address the security issue. Red Hat has released several security advisories (RHSA-2020:2252, RHSA-2020:2905) that include fixes for this vulnerability across different products in their ecosystem (Red Hat Advisory).

The vulnerability was discovered and reported by security researchers from Cure53 Berlin, highlighting the importance of proper input validation in web applications (Bugzilla).