Medium severity4.8NVD Advisory· Published Oct 24, 2017· Updated May 13, 2026
CVE-2017-15881
CVE-2017-15881
Description
Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
keystonenpm | < 4.0.0-beta7 | 4.0.0-beta7 |
Affected products
7cpe:2.3:a:keystonejs:keystone:4.0.0:beta1:*:*:*:node.js:*:*+ 6 more
- cpe:2.3:a:keystonejs:keystone:4.0.0:beta1:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:4.0.0:beta2:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:4.0.0:beta3:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:4.0.0:beta4:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:4.0.0:beta5:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:4.0.0:-:*:*:*:node.js:*:*
- cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:*range: <=0.3.22
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/keystonejs/keystone/pull/4478nvdIssue TrackingPatchThird Party AdvisoryWEB
- blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/nvdIssue TrackingThird Party Advisory
- www.securityfocus.com/bid/101541nvdThird Party AdvisoryVDB EntryWEB
- github.com/advisories/GHSA-7cv6-gvx3-m54mghsaADVISORY
- github.com/keystonejs/keystone/issues/4437nvdIssue TrackingThird Party AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2017-15881ghsaADVISORY
- blog.securelayer7.net/keystonejs-open-source-penetration-testing-reportghsaWEB
- securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdfghsaWEB
- www.npmjs.com/advisories/981ghsaWEB
News mentions
0No linked articles in our index yet.