GHSA-7qcx-jmrc-h2rr
Suggest an improvement- Source
- https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-7qcx-jmrc-h2rr/GHSA-7qcx-jmrc-h2rr.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-7qcx-jmrc-h2rr
- Aliases
- Published
- 2017-11-15T19:44:16Z
- Modified
- 2023-11-08T03:58:58.853594Z
- Severity
-
- 6.1 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N CVSS Calculator
- Summary
- Cross-Site Scripting in keystone
- Details
-
Versions of
keystoneprior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on theContact Uspage, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.Recommendation
Update to version 4.0.0 or later.
- Database specific
{ "nvd_published_at": null, "cwe_ids": [ "CWE-79" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:23:19Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2017-15878
- https://github.com/keystonejs/keystone/pull/4478
- https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
- https://github.com/keystonejs/keystone
- https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
- https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- https://www.exploit-db.com/exploits/43054
- https://www.npmjs.com/advisories/980
- http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
- http://www.securityfocus.com/bid/101541
Affected packages
npm / keystone
Package
- Name
- keystone
- View open source insights on deps.dev
- Purl
- pkg:npm/keystone