GoogleOSV:GHSA-7QCX-JMRC-H2RRCross-Site Scripting in keystone
0.003 Low
EPSS
Percentile
71.8%
Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.
Recommendation
Update to version 4.0.0 or later.
References
blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
www.securityfocus.com/bid/101541
github.com/advisories/GHSA-7qcx-jmrc-h2rr
github.com/keystonejs/keystone
github.com/keystonejs/keystone/pull/4478
nvd.nist.gov/vuln/detail/CVE-2017-15878
packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
www.exploit-db.com/exploits/43054
www.npmjs.com/advisories/980
Related
