Search for packages
| purl | pkg:npm/keystone@0.2.22 |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 10.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-2yxf-3ebk-nbeu
Aliases: CVE-2017-15879 GHSA-6494-v9fq-fgq2 |
Improper Input Validation CSV Injection via a value that is mishandled in a CSV export. |
Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-9e59-6pzn-gyc1
Aliases: CVE-2022-0087 GHSA-hrgx-7j6v-xj82 |
keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
Affected by 0 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-m9p7-836k-pqfb
Aliases: CVE-2017-15881 GHSA-7cv6-gvx3-m54m |
Cross-site Scripting Cross-Site Scripting vulnerability in KeystoneJS allows remote authenticated administrators to inject arbitrary web script or HTML via the `content brief` or `content extended` field. |
Affected by 4 other vulnerabilities. Affected by 0 other vulnerabilities. Affected by 1 other vulnerability. |
|
VCID-ndu1-2s48-pucm
Aliases: CVE-2017-15878 GHSA-7qcx-jmrc-h2rr |
Cross-site Scripting Possible Cross-site scripting via the "Contact Us feature". |
Affected by 3 other vulnerabilities. |
|
VCID-ppy6-36tw-sqft
Aliases: CVE-2023-40027 GHSA-9cvc-v7wm-992c |
Missing Authorization Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible (no session required) if a `session` strategy is not defined. This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, `isAccessAllowed` is not `undefined`). This vulnerability does affect users who believed that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware. This vulnerability has been patched in `@keystone-6/core` version `5.5.1`. Users are advised to upgrade. Users unable to upgrade may opt to write their own `isAccessAllowed` functionality to work-around this vulnerability. |
Affected by 0 other vulnerabilities. |
|
VCID-qs56-6vgh-6uaz
Aliases: CVE-2015-9240 GHSA-39pj-gq8q-9pfj |
Authentication Weakness in keystone Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in. |
Affected by 6 other vulnerabilities. |
|
VCID-sw46-5p81-kqhv
Aliases: CVE-2017-16570 GHSA-q43c-g2g7-6gxj |
Cross-Site Request Forgery (CSRF) KeystoneJS allows application-wide CSRF bypass by removing the CSRF parameter and value. |
Affected by 4 other vulnerabilities. Affected by 3 other vulnerabilities. |
|
VCID-yynq-xbdy-2ff7
Aliases: GMS-2015-50 |
Authentication Weakness Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in. |
Affected by 6 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||