CVE-2017-15881 — Cross-Site Scripting in keystone

Description

Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account. ## Recommendation Update to version 4.0.0 or later.

How to fix CVE-2017-15881

To remediate CVE-2017-15881, upgrade the affected package to a fixed version below.

—upgrade to 4.0.0-beta7 or later

Is CVE-2017-15881 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 4.0.0-beta7

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.8	CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

References (8)

ADVISORYgithub.com/advisories/GHSA-7cv6-gvx3-m54m
ADVISORYnvd.nist.gov/vuln/detail/CVE-2017-15881
WEBblog.securelayer7.net/keystonejs-open-source-penetration-testing-report
WEBgithub.com/keystonejs/keystone/issues/4437
WEB