CVE-2017-15878
MEDIUM6.1EPSS 3.6%Cross-Site Scripting in keystone
發布日:2017/11/15修改日:2023/11/8
描述
Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the `Contact Us` page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser. ## Recommendation Update to version 4.0.0 or later.
受影響套件(1)
- npm/keystonefrom 0, < 4.0.0
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
參考連結(10)
- ADVISORYhttps://github.com/advisories/GHSA-7qcx-jmrc-h2rr
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2017-15878
- PATCHhttps://github.com/keystonejs/keystone
- WEBhttp://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
- WEBhttps://github.com/keystonejs/keystone/pull/4478
- WEBhttps://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
- WEBhttps://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- WEBhttps://www.exploit-db.com/exploits/43054
- WEBhttps://www.npmjs.com/advisories/980
- WEBhttp://www.securityfocus.com/bid/101541