Keycloak Update (MINDBREEZE23311)

ID: MINDBREEZE23311 
Affected Components: Mindbreeze InSpire G7, Mindbreeze InSpire SaaS 
Severity: 6.8 Medium 
Status: Final 
First published: October 20, 2023 
CVEs: CVE-2022-1438, CVE-2022-3916, CVE-2023-0264 

Summary

• CVE-2022-1438 Keycloak: XSS vulnerability in username field via administrator
• CVE-2022-3916 Keycloak: issue when using a client with the offline_access scope - user session takeover
• CVE-2023-0264 Keycloak: OpenID Connect user authentication vulnerable to user impersonation via stolen UUID code

Hotfix Information

Fixed with following versions of Mindbreeze InSpire On-Premises or Mindbreeze InSpire SaaS: 

• Mindbreeze InSpire 23.3 Release (Version 23.3.0.274) 

• Mindbreeze InSpire 23.3 SaaS Release (Version 23.3.0.274)