GHSA-7qcx-jmrc-h2rr

Опубликовано: 15 нояб. 2017

Источник: github

Github: Прошло ревью

CVSS3: 6.1

Описание

Cross-Site Scripting in keystone

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.

Recommendation

Update to version 4.0.0 or later.

Ссылки

Пакеты

Наименование

keystone

npm

Затронутые версииВерсия исправления

< 4.0.0

4.0.0

EPSS

Процентиль: 87%

0.03604

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2017-15878

Дефекты

CWE-79

Связанные уязвимости

CVE-2017-15878

CVSS3: 6.1

nvd

больше 8 лет назад

A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.

EPSS

Процентиль: 87%

0.03604

Низкий

6.1 Medium

CVSS3

CVE ID

CVE-2017-15878

Дефекты

CWE-79