GHSA-7cv6-gvx3-m54m

Опубликовано: 16 нояб. 2017

Источник: github

Github: Прошло ревью

CVSS3: 4.8

Описание

Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.

Recommendation

Update to version 4.0.0 or later.

Ссылки

Пакеты

Наименование

keystone

npm

Затронутые версииВерсия исправления

<= 4.0.0-beta6

4.0.0-beta7

EPSS

Процентиль: 64%

0.00466

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2017-15881

Дефекты

CWE-79

Связанные уязвимости

CVE-2017-15881

CVSS3: 4.8

nvd

больше 8 лет назад

Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.

EPSS

Процентиль: 64%

0.00466

Низкий

4.8 Medium

CVSS3

CVE ID

CVE-2017-15881

Дефекты

CWE-79