Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
githubGitHub Advisory DatabaseGHSA-7QCX-JMRC-H2RR
HistoryNov 15, 2017 - 7:44 p.m.

Cross-Site Scripting in keystone

2017-11-1519:44:16
CWE-79
GitHub Advisory Database
github.com
13

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

71.8%

JSON

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.

Recommendation

Update to version 4.0.0 or later.

Affected configurations

Vulners
Node
keystone-enginekeystoneRange<4.0.0
CPENameOperatorVersion
keystonelt4.0.0

Related

osv 3
cve 2
zdt 1
exploitpack 1
nvd 2
cvelist 2
packetstorm 1
veracode 1
prion 2
exploitdb 1
osv
osv
Cross-Site Scripting in keystone
2017-11-15 19:44:16
CVE-2017-15878
2017-10-24 21:29:00
CVE-2017-15881
2017-10-24 22:29:00
cve
cve
CVE-2017-15878
2017-10-24 21:29:00
CVE-2017-15881
2017-10-24 22:29:00
zdt
zdt
KeystoneJS 4.0.0-beta.5 Unauthenticated Stored Cross Site Scripting Vulnerability
2017-10-25 00:00:00
exploitpack
exploitpack
KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting
2017-10-25 00:00:00
nvd
nvd
CVE-2017-15878
2017-10-24 21:29:00
CVE-2017-15881
2017-10-24 22:29:00
cvelist
cvelist
CVE-2017-15878
2017-10-24 21:00:00
CVE-2017-15881
2017-10-24 22:00:00
packetstorm
packetstorm
KeystoneJS 4.0.0-beta.5 Unauthenticated Stored Cross Site Scripting
2017-10-25 00:00:00
veracode
veracode
Cross-site Scripting (XSS)
2017-10-25 01:55:49
prion
prion
Cross site scripting
2017-10-24 21:29:00
Cross site scripting
2017-10-24 22:29:00
exploitdb
exploitdb
KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting
2017-10-25 00:00:00

4.3 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

NONE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:N/C:N/I:P/A:N

6.1 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

0.003 Low

EPSS

Percentile

71.8%

JSON
Related for GHSA-7QCX-JMRC-H2RR
osv3cve2zdt1exploitpack1nvd2cvelist2packetstorm1veracode1prion2exploitdb1