I’m running Keycloak 15 that have a XSS security vulnerability 2013577 – (CVE-2021-20323) CVE-2021-20323 keycloak-services: POST based reflected Cross Site Scripting vulnerability Reflected XSS on clients-registrations endpoint. It’s fixed in 18.0.0, but I cannot upgrade to 18.0.0 (that would be the best I know). So I’m looking at workarounds to mitigate. But how can I do that? Disable screens/urls?
In case you haven’t seen Important security vulnerability discovered - Keycloak ?
Do you use Client Registration? If yes, maybe use an ACL to limit the endpoint to known networks. If no, maybe limit to 127.0.0.1. For how to make an ACL, see Hardening Keycloak?
Thanks for the reply. Yes I saw the link you posted. Would blocking access to the user creation REST endpoint be enough to mitigate?