CVE-2017-15878

MEDIUM

Keystone < 4.0.0 - XSS

Title source: rule

Description

A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.

Exploits (1)

exploitdb WORKING POC

by Ishaq Mohammed · textwebappsnodejs

https://www.exploit-db.com/exploits/43054

View Code ZIP pw:eip

References (5)

[Issue Tracking, Third Party Advisory] http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/

[Third Party Advisory, VDB Entry] http://www.securityfocus.com/bid/101541

[Issue Tracking, Patch, Third Party Advisory] https://github.com/keystonejs/keystone/pull/4478

[Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry] https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html

[Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry] https://www.exploit-db.com/exploits/43054/

Scores

CVSS v3 6.1

EPSS 0.0360

EPSS Percentile 87.8%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

keystonejs/keystone < 4.0.0

npm/keystone 0 - 4.0.0npm

Published Oct 24, 2017

Tracked Since Feb 18, 2026