Keystonejs

Keystone

12 Schwachstellen gefunden.

Hinweis: Diese Liste kann unvollständig sein. Daten werden ohne Gewähr im Ursprungsformat bereitgestellt.
4.3

CVE-2025-46720

  • EPSS 0.21%
  • Veröffentlicht 05.05.2025 18:53:51
  • Zuletzt bearbeitet 19.09.2025 19:53:56

Keystone is a content management system for Node.js. Prior to version 6.5.0, `{field}.isFilterable` access control can be bypassed in `update` and `delete` mutations by adding additional unique filters. These filters can be used as an oracle to probe...

5.3

CVE-2023-40027

  • EPSS 0.26%
  • Veröffentlicht 15.08.2023 18:15:10
  • Zuletzt bearbeitet 21.11.2024 08:18:33

Keystone is an open source headless CMS for Node.js — built with GraphQL and React. When `ui.isAccessAllowed` is set as `undefined`, the `adminMeta` GraphQL query is publicly accessible (no session required). This is different to the behaviour of the...

4.1

CVE-2023-34247

  • EPSS 0.02%
  • Veröffentlicht 13.06.2023 17:15:14
  • Zuletzt bearbeitet 21.11.2024 08:06:51

Keystone is a content management system for Node.JS. There is an open redirect in the `@keystone-6/auth` package versions 7.0.0 and prior, where the redirect leading `/` filter can be bypassed. Users may be redirected to domains other than the relati...

9.8

CVE-2022-39382

Exploit
  • EPSS 2.02%
  • Veröffentlicht 03.11.2022 14:15:23
  • Zuletzt bearbeitet 21.11.2024 07:18:10

Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/core@3.0.0 || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"d...

9.8

CVE-2022-39322

Exploit
  • EPSS 0.93%
  • Veröffentlicht 25.10.2022 17:15:56
  • Zuletzt bearbeitet 21.11.2024 07:18:02

@keystone-6/core is a core package for Keystone 6, a content management system for Node.js. Starting with version 2.2.0 and prior to version 2.3.1, users who expected their `multiselect` fields to use the field-level access control - if configured - ...

9.8

CVE-2022-29354

Exploit
  • EPSS 3.87%
  • Veröffentlicht 16.05.2022 14:15:07
  • Zuletzt bearbeitet 21.11.2024 06:58:57

An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file.

6.1

CVE-2022-0087

Exploit
  • EPSS 56.13%
  • Veröffentlicht 12.01.2022 00:15:10
  • Zuletzt bearbeitet 21.11.2024 06:37:53

keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

7.5

CVE-2015-9240

  • EPSS 0.24%
  • Veröffentlicht 29.05.2018 20:29:00
  • Zuletzt bearbeitet 21.11.2024 02:40:07

Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. A correct password is still required to complete sign in.

8.8

CVE-2017-16570

  • EPSS 0.2%
  • Veröffentlicht 06.11.2017 08:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. In other words, it fails to reject requests that lack an x-csrf-token header.

4.8

CVE-2017-15881

  • EPSS 0.47%
  • Veröffentlicht 24.10.2017 22:29:00
  • Zuletzt bearbeitet 20.04.2025 01:37:25

Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.