Lucene search
+L

7 matches found

CVE
CVE
added 2023/08/15 5:45 p.m.2519 views

CVE-2023-40027

Keystone (Node.js) vulnerability CVE-2023-40027: When ui.isAccessAllowed is undefined, the adminMeta GraphQL query is publicly accessible without a session, potentially exposing admin metadata. Affected users are those relying on a session strategy to restrict access; developers using @keystone-6...

5.3CVSS4.7AI score0.00469EPSS
CVE
CVE
added 2022/01/11 11:20 p.m.99 views

CVE-2022-0087

Keystone 6 login page vulnerability (CVE-2022-0087) involves an open redirect via the from= URL parameter, which can be escalated to reflected XSS. The issue is highlighted in the Nuclei template for Keystone 6 Login Page, describing an open redirect and potential XSS on the authentication flow. ...

7.1CVSS6.2AI score0.02601EPSS
CVE
CVE
added 2025/05/05 6:53 p.m.86 views

CVE-2025-46720

Keystone (Node.js CMS) prior to 6.5.0 has an Access Control Bypass in update/delete mutations: when a where clause uses multiple unique filters, the isFilterable check can be bypassed, enabling inference of hidden field values. The issue is patched in @keystone-6/core v6.5.0. Mitigations from the...

4.3CVSS3.8AI score0.00234EPSS
CVE
CVE
added 2017/10/24 9:0 p.m.80 views

CVE-2017-15878

KeystoneJS prior to 4.0.0-beta.7 contains a cross-site scripting (XSS) flaw in fields/types/markdown/MarkdownType.js exposed via the Contact Us feature. Multiple sources (GHSA entry and exploit reports) describe this as an unauthenticated or remote-exploit path that can deliver arbitrary JavaScri...

6.1CVSS5.2AI score0.03415EPSS
CVE
CVE
added 2017/11/06 8:0 a.m.67 views

CVE-2017-16570

KeystoneJS vulnerability CVE-2017-16570 affects KeystoneJS before 4.0.0-beta.7. The issue is a Cross-Site Request Forgery (CSRF) bypass where requests can bypass CSRF protection by removing the CSRF parameter/value, effectively not rejecting requests that lack an X-CSRF-Token header. Public detai...

8.8CVSS8.6AI score0.02213EPSS
Web
CVE
CVE
added 2018/05/29 8:0 p.m.52 views

CVE-2015-9240

CVE-2015-9240 affects the keystone node module prior to 0.3.16. The vulnerability is a partial authentication bypass in the default sign-in flow: if an attacker provides a full and correct password but only a partial email address, authentication can be granted. Affected component is the keystone...

7.5CVSS7.5AI score0.0089EPSS
CVE
CVE
added 2026/03/24 7:8 p.m.9 views

CVE-2026-33326

Summary: Keystone 6 core prior to 6.5.2 had a bypass in isFilterable for findMany via the cursor parameter, allowing potential disclosure by confirming protected field values. The root cause is that the cursor input type reused UniqueWhere checks not patched by the previous fix for CVE-2025-46720...

4.3CVSS5.7AI score0.00257EPSS