NodeJS/keystone/0.2.4

Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose

Repo Link: https://www.npmjs.com/package/keystone
License: MIT

8 Security Vulnerabilities

Authentication Weakness in keystone

Published date: 2018-06-07T19:43:20Z

CVE: CVE-2015-9240

Links:

Versions of keystone prior to 0.3.16 are affected by a partial authentication bypass vulnerability. In the default sign in functionality, if an attacker provides a full and correct password, yet only provides part of the associated email address, authentication will be granted.

Recommendation

Update to version 0.3.16 or later.

Affected versions: ["0.0.9", "0.0.10", "0.0.11", "0.0.12", "0.0.13", "0.0.14", "0.0.15", "0.0.16", "0.0.17", "0.0.18", "0.0.19", "0.0.20", "0.0.21", "0.0.22", "0.0.23", "0.0.24", "0.0.25", "0.0.26", "0.0.27", "0.0.28", "0.0.29", "0.0.30", "0.0.31", "0.0.32", "0.0.33", "0.0.34", "0.0.35", "0.0.36", "0.0.37", "0.0.38", "0.0.39", "0.0.40", "0.0.41", "0.0.42", "0.0.43", "0.1.0", "0.1.1", "0.1.2", "0.1.3", "0.1.4", "0.1.5", "0.1.6", "0.1.7", "0.1.8", "0.1.9", "0.1.10", "0.1.11", "0.1.12", "0.1.13", "0.1.14", "0.1.15", "0.1.16", "0.1.17", "0.1.18", "0.1.19", "0.1.20", "0.1.21", "0.1.22", "0.1.23", "0.1.24", "0.1.25", "0.1.26", "0.1.27", "0.1.28", "0.1.29", "0.1.30", "0.1.31", "0.1.32", "0.1.33", "0.1.34", "0.1.35", "0.1.36", "0.1.37", "0.1.38", "0.1.39", "0.1.40", "0.1.41", "0.1.42", "0.1.43", "0.1.44", "0.1.45", "0.1.46", "0.1.47", "0.1.48", "0.1.49", "0.1.50", "0.1.51", "0.1.52", "0.1.53", "0.1.54", "0.1.55", "0.2.0", "0.2.1", "0.2.2", "0.2.3", "0.2.4", "0.2.5", "0.2.6", "0.2.7", "0.2.8", "0.2.9", "0.2.10", "0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.2.17", "0.2.18", "0.2.19", "0.2.20", "0.2.21", "0.2.22", "0.2.23", "0.2.24", "0.2.25", "0.2.26", "0.2.27", "0.2.28", "0.2.29", "0.2.30", "0.2.31", "0.2.32", "0.2.33", "0.2.34", "0.2.35", "0.2.36", "0.2.37", "0.2.38", "0.2.39", "0.2.40", "0.2.41", "0.2.42", "0.3.0", "0.3.1", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.3.6", "0.3.7", "0.3.8", "0.3.9", "0.3.10", "0.3.11", "0.3.12", "0.3.13", "0.3.14", "0.3.15"]

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Keystone is vulnerable to CSV injection

Published date: 2017-11-16T01:46:50Z

CVE: CVE-2017-15879

Links:

CSV Injection (aka Excel Macro Injection or Formula Injection) exists in admin/server/api/download.js and lib/list/getCSVData.js in KeystoneJS before 4.0.0-beta.7 via a value that is mishandled in a CSV export.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Cross-Site Scripting in keystone

Published date: 2017-11-16T01:47:02Z

CVE: CVE-2017-15881

Links:

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.

Recommendation

Update to version 4.0.0 or later.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Cross-Site Scripting in keystone

Published date: 2017-11-15T19:44:16Z

CVE: CVE-2017-15878

Links:

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the Contact Us page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser.

Recommendation

Update to version 4.0.0 or later.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Authentication Weakness in keystone

Published date: 2020-08-19T21:30:04Z

Links:

There is an authentication weakness vulnerability in keystone before version 0.3.16. Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Cross-Site Scripting in keystone

Published date: 2020-08-20T17:21:46Z

Links:

Withdrawn: Duplicate of GHSA-7qcx-jmrc-h2rr

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Cross-Site Request Forgery (CSRF) in keystone

Published date: 2017-11-30T23:14:47Z

CVE: CVE-2017-16570

Links:

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Request Forgery (CSRF). The package fails to validate the presence of the X-CSRF-Token header, which may allow attackers to carry actions on behalf of other users on all endpoints.

Recommendation

Update to version 4.0.0 or later.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Update to version 4.2.1.

Authentication Weakness

Published date: 2015-12-04

CVSS Score: 4.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Coordinating vendor: ^Lift Security

Due to a bug in the the default sign in functionality, incomplete email addresses could be matched. A correct password is still required to complete sign in.

Secure versions: [4.0.0, 4.1.0, 4.1.1, 4.2.0, 4.2.1]

Recommendation: Users of this module should update to version 0.3.16 or greater

171 Other Versions

Version	License	Security	Released
4.2.1	MIT		2019-07-15 - 12:56	almost 5 years
4.2.0	MIT		2019-07-15 - 12:49	almost 5 years
4.1.1	MIT		2019-06-23 - 12:57	almost 5 years
4.1.0	MIT		2019-05-19 - 15:54	almost 5 years
4.0.0	MIT		2018-07-25 - 08:31	almost 6 years
4.0.0-rc.1	MIT	2	2018-07-06 - 07:57	almost 6 years
4.0.0-rc.0	MIT	2	2018-06-22 - 09:31	almost 6 years
4.0.0-beta.8	MIT	2	2018-01-22 - 13:00	over 6 years
4.0.0-beta.7	MIT	2	2017-10-23 - 06:45	over 6 years
4.0.0-beta.5	MIT	5	2017-01-25 - 06:08	over 7 years
4.0.0-beta.4	MIT	5	2016-12-02 - 02:11	over 7 years
4.0.0-beta.3	MIT	5	2016-09-25 - 10:56	over 7 years
4.0.0-beta.2	MIT	5	2016-09-06 - 02:25	over 7 years
4.0.0-beta.1	MIT	5	2016-08-25 - 07:54	over 7 years
0.3.22	MIT	5	2016-07-22 - 10:36	almost 8 years
0.3.21	MIT	5	2016-06-19 - 11:44	almost 8 years
0.3.20	MIT	5	2016-06-17 - 11:45	almost 8 years
0.3.19	MIT	5	2016-05-04 - 15:09	almost 8 years
0.3.18	MIT	5	2016-04-27 - 06:59	about 8 years
0.3.17	MIT	5	2016-03-23 - 09:04	about 8 years
0.3.16	MIT	5	2015-12-04 - 02:49	over 8 years
0.3.15	MIT	8	2015-10-15 - 00:28	over 8 years
0.3.14	MIT	8	2015-08-25 - 04:48	over 8 years
0.3.13	MIT	8	2015-08-03 - 11:36	over 8 years
0.3.12	MIT	8	2015-06-25 - 14:16	almost 9 years
0.3.11	MIT	8	2015-06-12 - 06:16	almost 9 years
0.3.10	MIT	8	2015-05-19 - 13:55	almost 9 years
0.3.9	MIT	8	2015-05-16 - 14:25	almost 9 years
0.3.8	MIT	8	2015-04-23 - 13:36	about 9 years
0.3.7	MIT	8	2015-04-23 - 09:44	about 9 years
0.3.6	MIT	8	2015-04-14 - 00:18	about 9 years
0.3.5	MIT	8	2015-04-12 - 10:52	about 9 years
0.3.4	MIT	8	2015-03-10 - 12:07	about 9 years
0.3.3	MIT	8	2015-03-08 - 12:17	about 9 years
0.3.2	MIT	8	2015-02-27 - 11:22	about 9 years
0.3.1	MIT	8	2015-02-13 - 11:37	about 9 years
0.3.0	MIT	8	2015-02-10 - 10:49	about 9 years
0.2.42	MIT	8	2015-01-20 - 03:47	over 9 years
0.2.41	MIT	8	2015-01-18 - 11:48	over 9 years
0.2.40	MIT	8	2014-12-31 - 04:26	over 9 years
0.2.39	MIT	8	2014-12-20 - 07:57	over 9 years
0.2.38	MIT	8	2014-12-19 - 07:52	over 9 years
0.2.37	MIT	8	2014-12-19 - 00:54	over 9 years
0.2.36	MIT	8	2014-12-07 - 04:51	over 9 years
0.2.35	MIT	8	2014-12-03 - 07:00	over 9 years
0.2.34	MIT	8	2014-11-29 - 10:14	over 9 years
0.2.33	MIT	8	2014-11-04 - 14:36	over 9 years
0.2.32	MIT	8	2014-10-16 - 11:08	over 9 years
0.2.31	MIT	8	2014-10-14 - 12:50	over 9 years
0.2.30	MIT	8	2014-10-02 - 12:17	over 9 years
0.2.29	MIT	8	2014-09-30 - 13:54	over 9 years
0.2.28	MIT	8	2014-09-12 - 11:42	over 9 years
0.2.27	MIT	8	2014-08-30 - 11:43	over 9 years
0.2.26	MIT	8	2014-08-14 - 04:03	over 9 years
0.2.25	MIT	8	2014-07-27 - 13:09	almost 10 years
0.2.24	MIT	8	2014-07-25 - 07:10	almost 10 years
0.2.23	MIT	8	2014-07-20 - 11:06	almost 10 years
0.2.22	MIT	8	2014-06-28 - 17:17	almost 10 years
0.2.21	MIT	8	2014-06-16 - 03:57	almost 10 years
0.2.20	MIT	8	2014-06-06 - 11:00	almost 10 years
0.2.19	MIT	8	2014-05-28 - 08:19	almost 10 years
0.2.18	MIT	8	2014-05-21 - 15:05	almost 10 years
0.2.17	MIT	8	2014-05-19 - 02:19	almost 10 years
0.2.16	MIT	8	2014-05-14 - 11:20	almost 10 years
0.2.15	MIT	8	2014-05-13 - 06:13	almost 10 years
0.2.14	MIT	8	2014-04-15 - 16:40	about 10 years
0.2.13	MIT	8	2014-04-03 - 14:31	about 10 years
0.2.12	MIT	8	2014-04-02 - 15:25	about 10 years
0.2.11	MIT	8	2014-04-02 - 11:30	about 10 years
0.2.10	MIT	8	2014-03-18 - 15:46	about 10 years
0.2.9	MIT	8	2014-03-18 - 12:42	about 10 years
0.2.8	MIT	8	2014-03-12 - 16:05	about 10 years
0.2.7	MIT	8	2014-03-11 - 08:31	about 10 years
0.2.6	MIT	8	2014-02-25 - 06:08	about 10 years
0.2.5	MIT	8	2014-02-17 - 15:56	about 10 years
0.2.4	MIT	8	2014-02-15 - 16:35	about 10 years
0.2.3	MIT	8	2014-02-10 - 15:10	about 10 years
0.2.2	MIT	8	2014-02-05 - 09:48	about 10 years
0.2.1	MIT	8	2014-02-04 - 06:16	about 10 years
0.2.0	MIT	8	2014-01-25 - 16:18	over 10 years
0.1.55	MIT	8	2013-12-30 - 03:45	over 10 years
0.1.54	MIT	8	2013-12-23 - 08:50	over 10 years
0.1.53	MIT	8	2013-12-22 - 14:29	over 10 years
0.1.52	MIT	8	2013-12-12 - 08:29	over 10 years
0.1.51	MIT	8	2013-12-10 - 17:08	over 10 years
0.1.50	MIT	8	2013-12-09 - 07:24	over 10 years
0.1.49	MIT	8	2013-12-04 - 06:52	over 10 years
0.1.48	MIT	8	2013-12-03 - 06:21	over 10 years
0.1.47	MIT	8	2013-12-02 - 06:55	over 10 years
0.1.46	MIT	8	2013-11-27 - 08:38	over 10 years
0.1.45	MIT	8	2013-11-20 - 14:51	over 10 years
0.1.44	MIT	8	2013-11-19 - 15:50	over 10 years
0.1.43	MIT	8	2013-11-19 - 14:27	over 10 years
0.1.42	MIT	8	2013-11-18 - 15:49	over 10 years
0.1.41	MIT	8	2013-11-18 - 10:56	over 10 years
0.1.40	MIT	8	2013-11-14 - 09:00	over 10 years
0.1.39	MIT	8	2013-11-06 - 13:45	over 10 years
0.1.38	MIT	8	2013-11-05 - 15:44	over 10 years
0.1.37	MIT	8	2013-11-04 - 06:59	over 10 years
0.1.36	MIT	8	2013-11-02 - 14:57	over 10 years