Search for packages
| purl | pkg:npm/keycloak-connect@0.0.0 |
| Tags | Ghost |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-7j7q-m1zp-zfac
Aliases: CVE-2023-0091 GHSA-v436-q368-hvgg GMS-2023-37 |
Keycloak has lack of validation of access token on client registrations endpoint When a service account with the create-client or manage-clients role can use the client-registration endpoints to create/manage clients with an access token. If the access token is leaked, there is an option to revoke the specific token. However, the check is not performed in client-registration endpoints. | There are no reported fixed by versions. |
|
VCID-ebn8-cjqs-k3ad
Aliases: CVE-2022-4137 GHSA-9hhc-pj4w-w5rv GMS-2023-616 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker. | There are no reported fixed by versions. |
|
VCID-gp47-t3vm-57an
Aliases: CVE-2022-1438 GHSA-w354-2f3c-qvg9 GMS-2023-529 |
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') A flaw was found in Keycloak. Under specific circumstances, HTML entities are not sanitized during user impersonation, resulting in a Cross-site scripting (XSS) vulnerability. | There are no reported fixed by versions. |
|
VCID-xq2v-4txb-sueu
Aliases: CVE-2023-0105 GHSA-c7xw-p58w-h6fj |
Keycloak: Impersonation and lockout possible through incorrect handling of email trust Impersonation and lockout are possible due to email trust not being handled correctly in Keycloak. Since the verified state is not reset when the email changes, it is possible for users to shadow others with the same email and lock out or impersonate them. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-02T12:39:05.223995+00:00 | GitLab Importer | Affected by | VCID-xq2v-4txb-sueu | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keycloak-connect/CVE-2023-0105.yml | 38.0.0 |
| 2026-04-02T12:39:05.145118+00:00 | GitLab Importer | Affected by | VCID-7j7q-m1zp-zfac | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keycloak-connect/CVE-2023-0091.yml | 38.0.0 |
| 2026-04-01T12:51:51.799891+00:00 | GitLab Importer | Affected by | VCID-ebn8-cjqs-k3ad | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keycloak-connect/CVE-2022-4137.yml | 38.0.0 |
| 2026-04-01T12:51:50.729670+00:00 | GitLab Importer | Affected by | VCID-gp47-t3vm-57an | https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keycloak-connect/CVE-2022-1438.yml | 38.0.0 |