VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-ndu1-2s48-pucm

Essentials
Severities (21)
References (14)
Severity details (20)
Exploits (1)
EPSS
History (1)

Vulnerability ID	VCID-ndu1-2s48-pucm
Aliases	CVE-2017-15878 GHSA-7qcx-jmrc-h2rr
Summary	Cross-site Scripting Possible Cross-site scripting via the "Contact Us feature".
Status	Published
Exploitability	None
Weighted Severity	None
Risk	None
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3.1	6.1	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
generic_textual	MODERATE	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
epss	0.03604	https://api.first.org/data/v1/epss?cve=CVE-2017-15878
cvssv3.1	6.1	https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
generic_textual	MODERATE	https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
cvssv3.1	6.1	https://github.com/keystonejs/keystone
generic_textual	MODERATE	https://github.com/keystonejs/keystone
cvssv3.1	6.1	https://github.com/keystonejs/keystone/pull/4478
generic_textual	MODERATE	https://github.com/keystonejs/keystone/pull/4478
cvssv3.1	6.1	https://nvd.nist.gov/vuln/detail/CVE-2017-15878
generic_textual	MODERATE	https://nvd.nist.gov/vuln/detail/CVE-2017-15878
cvssv3.1	6.1	https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
generic_textual	MODERATE	https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
cvssv3.1	6.1	https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
generic_textual	MODERATE	https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
cvssv3.1	6.1	https://www.exploit-db.com/exploits/43054
generic_textual	MODERATE	https://www.exploit-db.com/exploits/43054
cvssv3.1	6.1	https://www.npmjs.com/advisories/980
generic_textual	MODERATE	https://www.npmjs.com/advisories/980
cvssv3.1	6.1	http://www.securityfocus.com/bid/101541
generic_textual	MODERATE	http://www.securityfocus.com/bid/101541

Reference id	Reference type	URL
		http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report
		http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
		https://api.first.org/data/v1/epss?cve=CVE-2017-15878
		https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
		https://github.com/keystonejs/keystone
		https://github.com/keystonejs/keystone/pull/4478
		https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
		https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
		https://www.exploit-db.com/exploits/43054
		https://www.exploit-db.com/exploits/43054/
		https://www.npmjs.com/advisories/980
		http://www.securityfocus.com/bid/101541
CVE-2017-15878	Exploit	https://gitlab.com/exploit-database/exploitdb/-/blob/main/exploits/nodejs/webapps/43054.txt
CVE-2017-15878		https://nvd.nist.gov/vuln/detail/CVE-2017-15878

Data source	Exploit-DB
Date added	Oct. 25, 2017
Description	KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting
Ransomware campaign use	Unknown
Source publication date	Oct. 25, 2017
Exploit type	webapps
Platform	nodejs
Source update date	Oct. 25, 2017

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/advisories/GHSA-7qcx-jmrc-h2rr

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keystonejs/keystone

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://github.com/keystonejs/keystone/pull/4478

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2017-15878

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.exploit-db.com/exploits/43054

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at https://www.npmjs.com/advisories/980

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N Found at http://www.securityfocus.com/bid/101541

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.87985
EPSS Score	0.03604
Published At	June 4, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-06-02T04:37:16.346152+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/npm/keystone/CVE-2017-15878.yml	38.6.0