Vulnerabilities > Keystonejs
| DATE | CVE | VULNERABILITY TITLE | RISK |
|---|---|---|---|
| 2023-08-15 | CVE-2023-40027 | Missing Authorization vulnerability in Keystonejs Keystone Keystone is an open source headless CMS for Node.js — built with GraphQL and React. | 5.3 |
| 2023-06-13 | CVE-2023-34247 | Open Redirect vulnerability in Keystonejs Keystone Keystone is a content management system for Node.JS. | 4.1 |
| 2022-11-03 | CVE-2022-39382 | Injection vulnerability in Keystonejs Keystone 3.0.0/3.0.1 Keystone is a headless CMS for Node.js — built with GraphQL and React.`@keystone-6/[email protected] || 3.0.1` users that use `NODE_ENV` to trigger security-sensitive functionality in their production builds are vulnerable to `NODE_ENV` being inlined to `"development"` for user code, irrespective of what your environment variables. | 9.8 |
| 2022-10-25 | CVE-2022-39322 | Incorrect Authorization vulnerability in Keystonejs Keystone 2.2.0/2.3.0 @keystone-6/core is a core package for Keystone 6, a content management system for Node.js. | 9.8 |
| 2022-05-16 | CVE-2022-29354 | Unrestricted Upload of File with Dangerous Type vulnerability in Keystonejs Keystone 4.2.1 An arbitrary file upload vulnerability in the file upload module of Keystone v4.2.1 allows attackers to execute arbitrary code via a crafted file. | 9.8 |
| 2022-01-12 | CVE-2022-0087 | Cross-site Scripting vulnerability in Keystonejs Keystone keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 6.1 |
| 2021-05-24 | CVE-2021-32624 | Information Exposure vulnerability in Keystonejs Keystone-5 Keystone 5 is an open source CMS platform to build Node.js applications. | 5.3 |
| 2018-05-29 | CVE-2015-9240 | Credentials Management vulnerability in Keystonejs Keystone Due to a bug in the the default sign in functionality in the keystone node module before 0.3.16, incomplete email addresses could be matched. | 7.5 |
| 2017-11-06 | CVE-2017-16570 | Cross-Site Request Forgery (CSRF) vulnerability in Keystonejs Keystone KeystoneJS before 4.0.0-beta.7 allows application-wide CSRF bypass by removing the CSRF parameter and value, aka SecureLayer7 issue number SL7_KEYJS_03. | 8.8 |
| 2017-10-24 | CVE-2017-15881 | Cross-site Scripting vulnerability in Keystonejs Keystone Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878. | 4.8 |