CVE-2017-15878

MEDIUM

KeystoneJS < 4.0.0 - Stored Cross-Site Scripting via Contact Us Feature

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2017-15878. PoCs published by Ishaq Mohammed.

AI-analyzed exploit summary This exploit demonstrates an unauthenticated stored XSS vulnerability in KeystoneJS 4.0.0-beta.5 via the Contact Us feature. The payload is injected into the message field and triggers when an admin views the record.

Description

A cross-site scripting (XSS) vulnerability exists in fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via the Contact Us feature.

Exploits (1)

exploitdb WORKING POC

by Ishaq Mohammed · textwebappsnodejs

https://www.exploit-db.com/exploits/43054

View Code ZIP pw:eip

This exploit demonstrates an unauthenticated stored XSS vulnerability in KeystoneJS 4.0.0-beta.5 via the Contact Us feature. The payload is injected into the message field and triggers when an admin views the record.

Classification

Working Poc 100%

Attack Type

Xss

Complexity

Trivial

Reliability

Reliable

Target: KeystoneJS before 4.0.0-beta.7

No auth needed

Prerequisites: Access to the Contact Us page

MITRE ATT&CK

T1059.007 - JavaScript

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Issue Tracking, Patch, Third Party Advisory x_refsource_confirm

https://github.com/keystonejs/keystone/pull/4478

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/101541

Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry exploit x_refsource_exploit-db

https://www.exploit-db.com/exploits/43054/

Issue Tracking, Third Party Advisory x_refsource_misc

http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/

Exploit, Issue Tracking, Patch, Third Party Advisory, VDB Entry x_refsource_misc

https://packetstormsecurity.com/files/144756/KeystoneJS-4.0.0-beta.5-Unauthenticated-Stored-Cross-Site-Scripting.html

Scores

CVSS v3 6.1

EPSS 0.0360

EPSS Percentile 88.1%

Attack Vector NETWORK

CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Details

CWE

CWE-79

Status published

Products (2)

keystonejs/keystone < 4.0.0

npm/keystone 0 - 4.0.0npm

Published Oct 24, 2017

Tracked Since Feb 18, 2026