CVE-2017-15878
MEDIUM6.1EPSS 3.6%Cross-Site Scripting in keystone
Published: 11/15/2017Modified: 11/8/2023
Also known as:GHSA-7qcx-jmrc-h2rr
Description
Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the `Contact Us` page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser. ## Recommendation Update to version 4.0.0 or later.
Affected packages (1)
- npm/keystonefrom 0, < 4.0.0
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
References (10)
- ADVISORYhttps://github.com/advisories/GHSA-7qcx-jmrc-h2rr
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15878
- PATCHhttps://github.com/keystonejs/keystone
- WEBhttp://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
- WEBhttps://github.com/keystonejs/keystone/pull/4478
- WEBhttps://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
- WEBhttps://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- WEBhttps://www.exploit-db.com/exploits/43054
- WEBhttps://www.npmjs.com/advisories/980
- WEBhttp://www.securityfocus.com/bid/101541