keystone

npm5 known CVEs affecting this package

Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.

CVEs affecting keystonepage 1 of 1

CVE-2015-9240HIGHCVSS 7.5EG 7.5✓ Fixed in 0.3.16
2018-05-29
Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in.
CVE-2017-15878MEDIUMCVSS 6.1EG 6.1✓ Fixed in 4.0.0
2017-10-24
A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.
CVE-2017-15879HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.0-beta7
2017-10-24
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
CVE-2017-15881MEDIUMCVSS 4.8EG 4.8✓ Fixed in 4.0.0-beta7
2017-10-24
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-…
CVE-2017-16570HIGHCVSS 8.8EG 8.8✓ Fixed in 4.0.0-beta.7
2017-11-06
KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.

Check whether keystone is used in your infrastructure

EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for keystone CVEs against the assets you own.

Start Free Scan →