4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
71.8%
Versions of keystone
prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us
page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.
Update to version 4.0.0 or later.
blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
www.securityfocus.com/bid/101541
github.com/advisories/GHSA-7qcx-jmrc-h2rr
github.com/keystonejs/keystone/pull/4478
nvd.nist.gov/vuln/detail/CVE-2017-15878
packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
www.exploit-db.com/exploits/43054/
www.npmjs.com/advisories/980
4.3 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
6.1 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
CHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
0.003 Low
EPSS
Percentile
71.8%