@agentlab/ldkg-ui-basetable (=0.1.1), @agentlab/ldkg-ui-charts (>=0.1.2 <=0.1.7) +330 more potentially affected by CVE-2023-48219 via tinymce (>=4.5.1 <=5.10.8)

tinymce NPM version =4.5.1, =0.1.2, =0.3.7, =0.1.17, =1.0.0, =1.0.0, =1.33.0, =1.0.0-alpha.39-baliz, =4.3.0, =0.5.0, =0.1.0, =0.0.4, =0.1.2, =0.8.4, =0.8.5 and more Source cves: CVE-2023-48219 Source advisory: OSV:GHSA-V626-R774-J7F8...

Improper Access Control

@keystone-6/core is vulnerable to Improper Access Control. The vulnerability exists when the ui.isAccessAllowed parameter in the KeystoneMeta function of adminMetaSchema.ts is set as undefined, which allows an attacker to access the admin meta GraphQL query if the session strategy is not defined...

@beemstream/keystone-document-gallery (>=2.0.0 <=2.0.6), @murz/keystone-field-nested-set (=4.0.1-1) +7 more potentially affected by CVE-2023-40027 via @keystone-6/core (>=1.1.1 <=5.2.0)

@keystone-6/core NPM version =1.1.1, =2.0.0, =2.1.0, =1.0.0, =6.0.21, =0.0.1, =1.0.0, =0.0.1, =0.1.0, =0.2.0 Source cves: CVE-2023-40027 Source advisory: OSV:GHSA-9CVC-V7WM-992C...

GHSA-9CVC-V7WM-992C When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible

Summary When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible, that is to say, no session is required for the query. This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a session strategy is...

Default configuration

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

CVE-2023-40027

Keystone (Node.js) vulnerability CVE-2023-40027: When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible without a session, potentially exposing admin metadata. Affected users are those relying on a session strategy to restrict access; developers using @keystone-6...

CVE-2023-40027 Conditionally missing authorization in @keystone-6/core

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When ui.isAccessAllowed is set as undefined, the adminMeta GraphQL query is publicly accessible no session required. This is different to the behaviour of the default AdminUI middleware, which by default will only...

PT-2023-27221 · Unknown · @Keystone-6/Core

Name of the Vulnerable Software and Affected Versions: @keystone-6/core versions prior to 5.5.1 Description: The issue arises when ui.isAccessAllowed is set as undefined, making the adminMeta GraphQL query publicly accessible without requiring a session. This behavior differs from the default...

Keystone 安全漏洞

Keystone is a powerful OpenStack open source CMS designed to help you build and scale faster than any other Cms or application framework. Keystone has a security vulnerability that stems from adminMeta GraphQL queries being publicly accessible when ui.isAccessAllowed is set to undefined...

Security Bulletin: IBM Spectrum Discover is vulnerable to multiple vulnerabilities

Summary IBM has addressed multiple vulnerabilities in IBM Spectrum Discover. Webpack loader-utils CVE-2022-37601 is vulnerable to execute arbitrary code on the system caused by a pollution flaw in parseQuery function. OpenStack Keystone CVE-2021-3563 is vulnerable to bypass security restriction...

Open Redirect

@keystone-6/auth is vulnerable to Open Redirect. The vulnerability exists due to improper path sanitization which can result in users being redirected to domains other than the relative host by bypassing the / filter...

create-keystone-app-master (>=6.0.21 <=6.0.22) potentially affected by CVE-2023-34247 via @keystone-6/auth (=2.0.0)

@keystone-6/auth NPM version =2.0.0 is affected by a known vulnerability. The following packages have a transitive dependency on @keystone-6/auth and may be impacted: - create-keystone-app-master =6.0.21, =6.0.22 Source cves: CVE-2023-34247 Source advisory: OSV:GHSA-JQXR-VJVV-899M...

@keystone-6/auth Open Redirect vulnerability

Summary There is an open redirect in the @keystone-6/auth package, where the redirect leading / filter can be bypassed. Impact Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location. Mitigations - Don't u...

CVE-2023-34247

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...

Open redirect

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...

CVE-2023-34247 @keystone-6/auth Open Redirect vulnerability

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...

CVE-2023-34247

Keystone is a Node.js-based CMS. There is an Open Redirect in the @keystone-6/auth package up to version 7.0.0, where the redirect leading '/' filter can be bypassed. An attacker may cause users to be redirected to external domains instead of the relative host. Remediation is to apply the patch f...

CVE-2023-34247 @keystone-6/auth Open Redirect vulnerability

Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to...