keystone@0.1.9 vulnerabilities

Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose

Direct Vulnerabilities

Known vulnerabilities in the keystone package. This does not include vulnerabilities belonging to this package’s dependencies.

How to fix?

Automatically find and fix vulnerabilities affecting your projects. Snyk scans for vulnerabilities and provides fixes for free.

Fix for free
VulnerabilityVulnerable Version
  • C
Arbitrary File Upload

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Arbitrary File Upload via the file upload module, due to missing sanitization, allowing an attacker to execute arbitrary code via a crafted file.

How to fix Arbitrary File Upload?

There is no fixed version for keystone.

*
  • M
Cross-site Scripting (XSS)

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.

How to fix Cross-site Scripting (XSS)?

Upgrade keystone to version 4.0.0-beta.1 or higher.

<4.0.0-beta.1
  • H
Cross-site Scripting (XSS)

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.

How to fix Cross-site Scripting (XSS)?

Upgrade keystone to version 4.0.0-beta.1 or higher.

<4.0.0-beta.1
  • H
Cross-site Request Forgery (CSRF)

keystone is a Node.js content management system and web app framework built on the Express web framework and Mongoose ODM.

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF). It fails to reject requests that lack an x-csrf-token header.

How to fix Cross-site Request Forgery (CSRF)?

Upgrade keystone to version 4.0.0-beta.7 or higher.

<4.0.0-beta.7
  • M
Cross-site Request Forgery (CSRF)

keystone is a web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to Cross-site Request Forgery (CSRF).

How to fix Cross-site Request Forgery (CSRF)?

Upgrade keystone to version 0.2.34 or higher.

<0.2.34
  • M
Cross-site Scripting (XSS)

keystone is an web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of this package are vulnerable to Cross-site Scripting (XSS) attacks. Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.

How to fix Cross-site Scripting (XSS)?

Upgrade keystone to version 4.0.0-beta.7 or higher.

<4.0.0-beta.7
  • M
Cross-site Scripting (XSS)

keystone is Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to Cross-site Scripting (XSS). A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.

How to fix Cross-site Scripting (XSS)?

Upgrade keystone to version 4.0.0-beta.7 or higher.

<4.0.0-beta.7
  • H
CSV Injection

keystone is an web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose.

Affected versions of the package are vulnerable to CSV Injection.

How to fix CSV Injection?

Upgrade keystone to version 4.0.0-beta.7 or higher.

<4.0.0-beta.7
  • M
Authentication Weakness

Invalid email addresses can be mistakenly matched during sign-in. This affects the User record to be fetched from the DB. Correct password for that User is still required to authenticate.

<0.3.16