Search for packages
| purl | pkg:npm/keystone@0.2.16 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-94gs-13r3-3bbh
Aliases: CVE-2017-15881 GHSA-7cv6-gvx3-m54m |
Cross-Site Scripting in keystone |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-bvaw-dh5e-8bg6
Aliases: CVE-2017-16570 GHSA-q43c-g2g7-6gxj |
Cross-Site Request Forgery (CSRF) in keystone |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-u8m2-225z-7qg9
Aliases: CVE-2017-15879 GHSA-6494-v9fq-fgq2 |
Keystone is vulnerable to CSV injection |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-uhv4-u8n4-gkf4
Aliases: CVE-2017-15878 GHSA-7qcx-jmrc-h2rr |
Cross-Site Scripting in keystone |
Affected by 3 other vulnerabilities. |
|
VCID-vr5r-g296-bbd1
Aliases: CVE-2023-40027 GHSA-9cvc-v7wm-992c |
Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-xh6y-tuse-s7gv
Aliases: GMS-2015-50 |
Authentication Weakness Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in. |
Affected by 6 other vulnerabilities. |
|
VCID-y48m-8rm2-9ybw
Aliases: CVE-2015-9240 GHSA-39pj-gq8q-9pfj |
Authentication Weakness in keystone |
Affected by 6 other vulnerabilities. |
|
VCID-yxb4-y6q7-mbdn
Aliases: CVE-2022-0087 GHSA-hrgx-7j6v-xj82 |
Reflected cross-site scripting (XSS) vulnerability |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||