Staging Environment: Content and features may be unstable or change without notice.
Search for packages
Package details: pkg:npm/keystone@0.3.16
purl pkg:npm/keystone@0.3.16
Next non-vulnerable version 1.0.2
Latest non-vulnerable version 5.5.1
Risk
Vulnerabilities affecting this package (4)
Vulnerability Summary Fixed by
VCID-2yxf-3ebk-nbeu
Aliases:
CVE-2017-15879
GHSA-6494-v9fq-fgq2
Improper Input Validation CSV Injection via a value that is mishandled in a CSV export.
4.0.0-beta7
Affected by 0 other vulnerabilities.
4.1.0
Affected by 0 other vulnerabilities.
VCID-m9p7-836k-pqfb
Aliases:
CVE-2017-15881
GHSA-7cv6-gvx3-m54m
Cross-site Scripting Cross-Site Scripting vulnerability in KeystoneJS allows remote authenticated administrators to inject arbitrary web script or HTML via the `content brief` or `content extended` field.
4.0.0-beta.1
Affected by 3 other vulnerabilities.
4.0.0-beta7
Affected by 0 other vulnerabilities.
4.1.0
Affected by 0 other vulnerabilities.
VCID-ndu1-2s48-pucm
Aliases:
CVE-2017-15878
GHSA-7qcx-jmrc-h2rr
Cross-site Scripting Possible Cross-site scripting via the "Contact Us feature".
4.0.0
Affected by 2 other vulnerabilities.
VCID-sw46-5p81-kqhv
Aliases:
CVE-2017-16570
GHSA-q43c-g2g7-6gxj
Cross-Site Request Forgery (CSRF) KeystoneJS allows application-wide CSRF bypass by removing the CSRF parameter and value.
4.0.0-beta.7
Affected by 3 other vulnerabilities.
4.0.0
Affected by 2 other vulnerabilities.
Vulnerabilities fixed by this package (3)
Vulnerability Summary Aliases
VCID-he98-fy72-mqhh Authentication Weakness in keystone There is an authentication weakness vulnerability in keystone before version 0.3.16. Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in. GHSA-9xgp-hfw7-73rq
VCID-qs56-6vgh-6uaz Authentication Weakness in keystone Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in. CVE-2015-9240
GHSA-39pj-gq8q-9pfj
VCID-yynq-xbdy-2ff7 Authentication Weakness Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in. GMS-2015-50

Date Actor Action Vulnerability Source VulnerableCode Version
2026-06-04T20:10:09.022207+00:00 GitLab Importer Affected by VCID-sw46-5p81-kqhv https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-16570.yml 38.6.0
2026-06-04T20:10:03.037546+00:00 GitLab Importer Affected by VCID-m9p7-836k-pqfb https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-15881.yml 38.6.0
2026-06-04T20:09:57.518275+00:00 GitLab Importer Affected by VCID-ndu1-2s48-pucm https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-15878.yml 38.6.0
2026-06-04T20:09:50.503575+00:00 GitLab Importer Affected by VCID-2yxf-3ebk-nbeu https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-15879.yml 38.6.0
2026-06-04T17:40:54.156057+00:00 GithubOSV Importer Fixing VCID-qs56-6vgh-6uaz https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2018/06/GHSA-39pj-gq8q-9pfj/GHSA-39pj-gq8q-9pfj.json 38.6.0
2026-06-04T17:23:54.773669+00:00 GithubOSV Importer Fixing VCID-he98-fy72-mqhh https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2020/08/GHSA-9xgp-hfw7-73rq/GHSA-9xgp-hfw7-73rq.json 38.6.0
2026-06-02T04:37:48.782156+00:00 GitLab Importer Fixing VCID-qs56-6vgh-6uaz https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2015-9240.yml 38.6.0
2026-06-02T04:36:27.381910+00:00 GitLab Importer Fixing VCID-yynq-xbdy-2ff7 https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/GMS-2015-50.yml 38.6.0