CVE-2017-15878 – keystone

Package

Manager: npm
Name: keystone
Vulnerable Version: >=0 <4.0.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

EPSS: 0.03604 pctl0.87314

Details

Cross-Site Scripting in keystone Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the `Contact Us` page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser. ## Recommendation Update to version 4.0.0 or later.

Metadata

Created: 2017-11-15T19:44:16Z
Modified: 2021-09-03T21:41:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2017/11/GHSA-7qcx-jmrc-h2rr/GHSA-7qcx-jmrc-h2rr.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-7qcx-jmrc-h2rr
Finding: F425
Auto approve: 1