VYPR

npm package

keystone

pkg:npm/keystone

Vulnerabilities (5)

  • CVE-2015-9240HigMay 29, 2018
    affected < 0.3.16fixed 0.3.16

    Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in.

  • CVE-2017-16570HigNov 6, 2017
    affected < 4.0.0-beta.7fixed 4.0.0-beta.7

    KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.

  • CVE-2017-15881MedOct 24, 2017
    affected < 4.0.0-beta7fixed 4.0.0-beta7

    Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.

  • CVE-2017-15879HigOct 24, 2017
    affected < 4.0.0-beta7fixed 4.0.0-beta7

    CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

  • CVE-2017-15878MedOct 24, 2017
    affected < 4.0.0fixed 4.0.0

    A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.