Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:npm/keystone@4.0.0-beta.3
Typenpm
Namespace
Namekeystone
Version4.0.0-beta.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_versionnull
Latest_non_vulnerable_versionnull
Affected_by_vulnerabilities
0
url VCID-8nkn-cj8t-zfaz
vulnerability_id VCID-8nkn-cj8t-zfaz
summary 
Cross-Site Scripting in keystone
Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the `Contact Us` page,  allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.


## Recommendation

Update to version 4.0.0 or later.
references
0
reference_url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
1
reference_url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
reference_id
reference_type
scores
url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-15878
reference_id
reference_type
scores
0
value 0.03604
scoring_system epss
scoring_elements 0.87971
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-15878
3
reference_url https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
4
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
5
reference_url https://github.com/keystonejs/keystone/pull/4478
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/pull/4478
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-15878
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-15878
7
reference_url https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
8
reference_url https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
9
reference_url https://www.exploit-db.com/exploits/43054
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/43054
10
reference_url https://www.exploit-db.com/exploits/43054/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/43054/
11
reference_url https://www.npmjs.com/advisories/980
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/980
12
reference_url http://www.securityfocus.com/bid/101541
reference_id
reference_type
scores
0
value 6.1
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url http://www.securityfocus.com/bid/101541
13
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43054.txt
reference_id CVE-2017-15878
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43054.txt
fixed_packages
0
url pkg:npm/keystone@4.0.0
purl pkg:npm/keystone@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ksd-b17t-5kh3
1
vulnerability VCID-e22c-rs6d-27e7
2
vulnerability VCID-hzbj-2rgm-47g1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0
aliases CVE-2017-15878, GHSA-7qcx-jmrc-h2rr
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8nkn-cj8t-zfaz
1
url VCID-e22c-rs6d-27e7
vulnerability_id VCID-e22c-rs6d-27e7
summary 
### Summary
When `ui.isAccessAllowed` is `undefined`, the `adminMeta` GraphQL query is publicly accessible, that is to say, no session is required for the query.

This is different to the behaviour of the default AdminUI middleware, which by default will only be publicly accessible if a `session` strategy is not defined. 

### Impact
This vulnerability does not affect developers using the `@keystone-6/auth` package, or any users that have written their own `ui.isAccessAllowed` (that is to say, you are unaffected if `ui.isAccessAllowed` is defined).

This vulnerability does affect developers who thought that their `session` strategy will, by default, enforce that `adminMeta` is inaccessible by the public in accordance with that strategy; akin to the behaviour of the AdminUI middleware.

### Patches
This vulnerability has been patched in `@keystone-6/core` version `5.5.1`.

### Workarounds
You can opt to write your own `isAccessAllowed` to work-around this vulnerability.

### References
Pull request https://github.com/keystonejs/keystone/pull/8771
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
reference_id
reference_type
scores
0
value 0.00321
scoring_system epss
scoring_elements 0.55336
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-40027
1
reference_url https://github.com/keystonejs/keystone
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone
2
reference_url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/commit/650e27e6e9b42abfb94c340c8470faf61f0ff284
3
reference_url https://github.com/keystonejs/keystone/pull/8771
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/pull/8771
4
reference_url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/releases/tag/2023-08-15
5
reference_url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
reference_id
reference_type
scores
0
value 3.7
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-02T17:45:13Z/
url https://github.com/keystonejs/keystone/security/advisories/GHSA-9cvc-v7wm-992c
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-40027
7
reference_url https://github.com/advisories/GHSA-9cvc-v7wm-992c
reference_id GHSA-9cvc-v7wm-992c
reference_type
scores
url https://github.com/advisories/GHSA-9cvc-v7wm-992c
fixed_packages
0
url pkg:npm/keystone@5.5.1
purl pkg:npm/keystone@5.5.1
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@5.5.1
aliases CVE-2023-40027, GHSA-9cvc-v7wm-992c
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e22c-rs6d-27e7
2
url VCID-hzbj-2rgm-47g1
vulnerability_id VCID-hzbj-2rgm-47g1
summary 
Keystone is vulnerable to CSV injection
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
references
0
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-15879
reference_id
reference_type
scores
0
value 0.09815
scoring_system epss
scoring_elements 0.93094
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-15879
1
reference_url https://github.com/advisories/GHSA-6494-v9fq-fgq2
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-6494-v9fq-fgq2
2
reference_url https://github.com/keystonejs/keystone/pull/4478
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/pull/4478
3
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-15879
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-15879
4
reference_url https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://packetstormsecurity.com/files/144755/KeystoneJS-4.0.0-beta.5-Unauthenticated-CSV-Injection.html
5
reference_url https://www.exploit-db.com/exploits/43053
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/43053
6
reference_url https://www.exploit-db.com/exploits/43053/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/43053/
7
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43053.txt
reference_id CVE-2017-15879
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43053.txt
fixed_packages
0
url pkg:npm/keystone@4.0.0-beta7
purl pkg:npm/keystone@4.0.0-beta7
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0-beta7
1
url pkg:npm/keystone@4.1.0
purl pkg:npm/keystone@4.1.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-e22c-rs6d-27e7
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.1.0
aliases CVE-2017-15879, GHSA-6494-v9fq-fgq2
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-hzbj-2rgm-47g1
3
url VCID-yde5-m797-dyef
vulnerability_id VCID-yde5-m797-dyef
summary 
Cross-Site Request Forgery (CSRF) in keystone
Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Request Forgery (CSRF). The package fails to validate the presence of the `X-CSRF-Token` header, which may allow attackers to carry actions on behalf of other users on all endpoints.


## Recommendation

Update to version 4.0.0 or later.
references
0
reference_url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
1
reference_url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
reference_id
reference_type
scores
url http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
2
reference_url https://api.first.org/data/v1/epss?cve=CVE-2017-16570
reference_id
reference_type
scores
0
value 0.00198
scoring_system epss
scoring_elements 0.41761
published_at 2026-05-29T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2017-16570
3
reference_url https://github.com/advisories/GHSA-q43c-g2g7-6gxj
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/advisories/GHSA-q43c-g2g7-6gxj
4
reference_url https://github.com/keystonejs/keystone/issues/4437
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/issues/4437
5
reference_url https://github.com/keystonejs/keystone/pull/4478
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/keystonejs/keystone/pull/4478
6
reference_url https://nvd.nist.gov/vuln/detail/CVE-2017-16570
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2017-16570
7
reference_url https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
8
reference_url https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
9
reference_url https://www.exploit-db.com/exploits/43922
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.exploit-db.com/exploits/43922
10
reference_url https://www.exploit-db.com/exploits/43922/
reference_id
reference_type
scores
url https://www.exploit-db.com/exploits/43922/
11
reference_url https://www.npmjs.com/advisories/979
reference_id
reference_type
scores
0
value 8.8
scoring_system cvssv3.1
scoring_elements CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.npmjs.com/advisories/979
12
reference_url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43922.html
reference_id CVE-2017-16570
reference_type exploit
scores
url https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43922.html
fixed_packages
0
url pkg:npm/keystone@4.0.0-beta.7
purl pkg:npm/keystone@4.0.0-beta.7
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-8nkn-cj8t-zfaz
1
vulnerability VCID-e22c-rs6d-27e7
2
vulnerability VCID-hzbj-2rgm-47g1
3
vulnerability VCID-yde5-m797-dyef
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0-beta.7
1
url pkg:npm/keystone@4.0.0
purl pkg:npm/keystone@4.0.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-1ksd-b17t-5kh3
1
vulnerability VCID-e22c-rs6d-27e7
2
vulnerability VCID-hzbj-2rgm-47g1
resource_url http://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0
aliases CVE-2017-16570, GHSA-q43c-g2g7-6gxj
risk_score null
exploitability null
weighted_severity null
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yde5-m797-dyef
Fixing_vulnerabilities
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:npm/keystone@4.0.0-beta.3