keystone@0.0.16 vulnerabilities

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload module, due to missing sanitization, allowing an attacker to execute arbitrary code via a crafted file.

There is no fixed version for keystone.

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.

Upgrade keystone to version 4.0.0-beta.1 or higher.

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.

Upgrade keystone to version 4.0.0-beta.1 or higher.

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It fails to reject requests that lack an x-csrf-token header.

Upgrade keystone to version 4.0.0-beta.7 or higher.

keystone is a web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF).

Upgrade keystone to version 0.2.34 or higher.

keystone is an web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.

Upgrade keystone to version 4.0.0-beta.7 or higher.

keystone is an web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to CSV Injection.

Upgrade keystone to version 4.0.0-beta.7 or higher.

keystone is Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS). A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.

Upgrade keystone to version 4.0.0-beta.7 or higher.

Invalid email addresses can be mistakenly matched during sign-in. This affects the User record to be fetched from the DB. Correct password for that User is still required to authenticate.