VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-m9p7-836k-pqfb

Essentials
Severities (17)
References (10)
Severity details (16)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-m9p7-836k-pqfb
Aliases	CVE-2017-15881 GHSA-7cv6-gvx3-m54m
Summary	Cross-site Scripting Cross-Site Scripting vulnerability in KeystoneJS allows remote authenticated administrators to inject arbitrary web script or HTML via the `content brief` or `content extended` field.
Status	Published
Exploitability	0.5
Weighted Severity	6.2
Risk	3.1
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	4.8	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
generic_textual	MODERATE	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
epss	0.00466	https://api.first.org/data/v1/epss?cve=CVE-2017-15881
cvssv3.1	4.8	https://github.com/advisories/GHSA-7cv6-gvx3-m54m
generic_textual	MODERATE	https://github.com/advisories/GHSA-7cv6-gvx3-m54m
cvssv3.1	4.8	https://github.com/keystonejs/keystone/issues/4437
generic_textual	MODERATE	https://github.com/keystonejs/keystone/issues/4437
cvssv3.1	4.8	https://github.com/keystonejs/keystone/pull/4478
generic_textual	MODERATE	https://github.com/keystonejs/keystone/pull/4478
cvssv3.1	4.8	https://nvd.nist.gov/vuln/detail/CVE-2017-15881
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2017-15881
cvssv3.1	4.8	https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
generic_textual	MODERATE	https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
cvssv3.1	4.8	https://www.npmjs.com/advisories/981
generic_textual	MODERATE	https://www.npmjs.com/advisories/981
cvssv3.1	4.8	http://www.securityfocus.com/bid/101541
generic_textual	MODERATE	http://www.securityfocus.com/bid/101541

Reference id	Reference type	URL
		http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
		http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
		https://api.first.org/data/v1/epss?cve=CVE-2017-15881
		https://github.com/advisories/GHSA-7cv6-gvx3-m54m
		https://github.com/keystonejs/keystone/issues/4437
		https://github.com/keystonejs/keystone/pull/4478
		https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
		https://www.npmjs.com/advisories/981
		http://www.securityfocus.com/bid/101541
CVE-2017-15881		https://nvd.nist.gov/vuln/detail/CVE-2017-15881

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-7cv6-gvx3-m54m

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keystonejs/keystone/issues/4437

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keystonejs/keystone/pull/4478

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-15881

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at https://www.npmjs.com/advisories/981

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N Found at http://www.securityfocus.com/bid/101541

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.64737
EPSS Score	0.00466
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:37:17.823116+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-15881.yml	38.6.0