{"id":"CVE-2022-4137","details":"A reflected cross-site scripting (XSS) vulnerability was found in the 'oob' OAuth endpoint due to incorrect null-byte handling. This issue allows a malicious link to insert an arbitrary URI into a Keycloak error page. This flaw requires a user or administrator to interact with a link in order to be vulnerable. This may compromise user details, allowing it to be changed or collected by an attacker.","aliases":["GHSA-9hhc-pj4w-w5rv"],"modified":"2026-05-04T08:42:32.313278Z","published":"2023-09-25T20:15:09.897Z","withdrawn":"2026-05-04T08:42:32.313278Z","references":[{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1044"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1045"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1049"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2022-4137"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2023:1043"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2148496"}],"affected":[{"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-4137.json","unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"7.6"}]}]}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"}]}