CVE-2017-15878 — Cross-Site Scripting in keystone

Description

Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize user input on the `Contact Us` page, allowing attackers to submit contact forms with malicious JavaScript in the message field. The output is not properly encoded leading an admin that opens new inquiry to execute the arbitrary JavaScript supplied in their browser. ## Recommendation Update to version 4.0.0 or later.

How to fix CVE-2017-15878

To remediate CVE-2017-15878, upgrade the affected package to a fixed version below.

—upgrade to 4.0.0 or later

Is CVE-2017-15878 being exploited?

Low — EPSS is 3.6%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

References (10)

ADVISORYgithub.com/advisories/GHSA-7qcx-jmrc-h2rr
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-15878
PATCHgithub.com/keystonejs/keystone
WEBblog.securelayer7.net/keystonejs-open-source-penetration-testing-report
WEB