4.2.1
11 years ago
5 years ago
Known vulnerabilities in the keystone package. This does not include vulnerabilities belonging to this package’s dependencies.
Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.
Fix for freeVulnerability | Vulnerable Version |
---|---|
keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM. Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload module, due to missing sanitization, allowing an attacker to execute arbitrary code via a crafted file. How to fix Arbitrary File Upload? There is no fixed version for | * |
keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account. How to fix Cross-site Scripting (XSS)? Upgrade | <4.0.0-beta.1 |
keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM. Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to sanitize user input on the How to fix Cross-site Scripting (XSS)? Upgrade | <4.0.0-beta.1 |
keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM. Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It fails to reject requests that lack an How to fix Cross-site Request Forgery (CSRF)? Upgrade | <4.0.0-beta.7 |
Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF). How to fix Cross-site Request Forgery (CSRF)? Upgrade | <0.2.34 |
Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878. How to fix Cross-site Scripting (XSS)? Upgrade | <4.0.0-beta.7 |
Affected versions of the package are vulnerable to CSV Injection. How to fix CSV Injection? Upgrade | <4.0.0-beta.7 |
Affected versions of the package are vulnerable to Cross-site Scripting (XSS). A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature. How to fix Cross-site Scripting (XSS)? Upgrade | <4.0.0-beta.7 |
Invalid email addresses can be mistakenly matched during sign-in. This affects the | <0.3.16 |