Vulnerability-Lookup

CVE-2017-15881 (GCVE-0-2017-15881)

Vulnerability from cvelistv5 – Published: 2017-10-24 22:00 – Updated: 2024-08-05 20:04

Summary

Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the "content brief" or "content extended" field, a different vulnerability than CVE-2017-15878.

Severity ?

No CVSS data available.

CWE

Assigner

mitre

References

URL

GSD-2017-15881

Vulnerability from gsd - Updated: 2023-12-13 01:20

Details

Aliases

CVE-2017-15881

Aliases

CVE-2017-15881

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2017-15881",
    "description": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878.",
    "id": "GSD-2017-15881"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2017-15881"
      ],
      "details": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878.",
      "id": "GSD-2017-15881",
      "modified": "2023-12-13T01:20:58.950049Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "cve@mitre.org",
        "ID": "CVE-2017-15881",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "101541",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/101541"
          },
          {
            "name": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/",
            "refsource": "MISC",
            "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"
          },
          {
            "name": "https://github.com/keystonejs/keystone/issues/4437",
            "refsource": "MISC",
            "url": "https://github.com/keystonejs/keystone/issues/4437"
          },
          {
            "name": "https://github.com/keystonejs/keystone/pull/4478",
            "refsource": "MISC",
            "url": "https://github.com/keystonejs/keystone/pull/4478"
          }
        ]
      }
    },
    "gitlab.com": {
      "advisories": [
        {
          "affected_range": "\u003c=0.3.22||=4.0.0",
          "affected_versions": "All versions up to 0.3.22, version 4.0.0",
          "cvss_v2": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "cvss_v3": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "cwe_ids": [
            "CWE-1035",
            "CWE-79",
            "CWE-937"
          ],
          "date": "2019-12-09",
          "description": "Cross-Site Scripting vulnerability in KeystoneJS allows remote authenticated administrators to inject arbitrary web script or HTML via the `content brief` or `content extended` field.",
          "fixed_versions": [
            "4.1.0"
          ],
          "identifier": "CVE-2017-15881",
          "identifiers": [
            "CVE-2017-15881"
          ],
          "not_impacted": "All versions after 0.3.22 before 4.0.0, all versions after 4.0.0",
          "package_slug": "npm/keystone",
          "pubdate": "2017-10-24",
          "solution": "Upgrade to version 4.1.0 or above.",
          "title": "Cross-site Scripting",
          "urls": [
            "https://nvd.nist.gov/vuln/detail/CVE-2017-15881",
            "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/",
            "http://www.securityfocus.com/bid/101541",
            "https://github.com/keystonejs/keystone/issues/4437",
            "https://github.com/keystonejs/keystone/pull/4478"
          ],
          "uuid": "c7fc302b-e14c-461d-983f-2947dde75e64"
        }
      ]
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:*",
                "cpe_name": [],
                "versionEndIncluding": "0.3.22",
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:-:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta1:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta2:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta3:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta4:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              },
              {
                "cpe23Uri": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta5:*:*:*:node.js:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2017-15881"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "CWE-79"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/keystonejs/keystone/pull/4478",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Patch",
                "Third Party Advisory"
              ],
              "url": "https://github.com/keystonejs/keystone/pull/4478"
            },
            {
              "name": "https://github.com/keystonejs/keystone/issues/4437",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "https://github.com/keystonejs/keystone/issues/4437"
            },
            {
              "name": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/",
              "refsource": "MISC",
              "tags": [
                "Issue Tracking",
                "Third Party Advisory"
              ],
              "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"
            },
            {
              "name": "101541",
              "refsource": "BID",
              "tags": [
                "Third Party Advisory",
                "VDB Entry"
              ],
              "url": "http://www.securityfocus.com/bid/101541"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "SINGLE",
            "availabilityImpact": "NONE",
            "baseScore": 3.5,
            "confidentialityImpact": "NONE",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
            "version": "2.0"
          },
          "exploitabilityScore": 6.8,
          "impactScore": 2.9,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "LOW",
          "userInteractionRequired": true
        },
        "baseMetricV3": {
          "cvssV3": {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 4.8,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "integrityImpact": "LOW",
            "privilegesRequired": "HIGH",
            "scope": "CHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.1"
          },
          "exploitabilityScore": 1.7,
          "impactScore": 2.7
        }
      },
      "lastModifiedDate": "2019-12-09T17:05Z",
      "publishedDate": "2017-10-24T22:29Z"
    }
  }
}

FKIE_CVE-2017-15881

Vulnerability from fkie_nvd - Published: 2017-10-24 22:29 - Updated: 2025-04-20 01:37

Severity ?

4.8 (Medium) - CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Summary

References

URL	Tags
cve@mitre.org	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/	Issue Tracking, Third Party Advisory
cve@mitre.org	http://www.securityfocus.com/bid/101541	Third Party Advisory, VDB Entry
cve@mitre.org	https://github.com/keystonejs/keystone/issues/4437	Issue Tracking, Third Party Advisory
cve@mitre.org	https://github.com/keystonejs/keystone/pull/4478	Issue Tracking, Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/101541	Third Party Advisory, VDB Entry
af854a3a-2127-422b-91ae-364da2661108	https://github.com/keystonejs/keystone/issues/4437	Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108	https://github.com/keystonejs/keystone/pull/4478	Issue Tracking, Patch, Third Party Advisory

Impacted products

Vendor	Product	Version
keystonejs	keystone	*
keystonejs	keystone	4.0.0
keystonejs	keystone	4.0.0
keystonejs	keystone	4.0.0
keystonejs	keystone	4.0.0
keystonejs	keystone	4.0.0
keystonejs	keystone	4.0.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "C32D3468-09D8-4515-B8B4-CBECED5C6EDD",
              "versionEndIncluding": "0.3.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:-:*:*:*:node.js:*:*",
              "matchCriteriaId": "939A5AB7-633A-4013-9A5F-FE793D6CDBE1",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta1:*:*:*:node.js:*:*",
              "matchCriteriaId": "DA566AA1-50F8-4A8C-9D50-FD6C98C24702",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta2:*:*:*:node.js:*:*",
              "matchCriteriaId": "AFE82BBF-FAD3-4A0F-BF9C-A6B735CE9C59",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta3:*:*:*:node.js:*:*",
              "matchCriteriaId": "B01C0065-8918-42E1-A7FF-002C0C088B25",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta4:*:*:*:node.js:*:*",
              "matchCriteriaId": "709083AB-14C2-4DDD-ADC2-436587ECBBA7",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:keystonejs:keystone:4.0.0:beta5:*:*:*:node.js:*:*",
              "matchCriteriaId": "872696B2-6C8F-406E-AD2E-A862BE2985EC",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad Cross-Site Scripting (XSS) en KeystoneJS en versiones anteriores a la 4.0.0-beta.7 permite que administradores autenticados remotos inyecten scripts web o HTML arbitrarios mediante el campo \"content brief\" o \"content extended\". Esta es una vulnerabilidad diferente de CVE-2017-15878."
    }
  ],
  "id": "CVE-2017-15881",
  "lastModified": "2025-04-20T01:37:25.860",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "LOW",
        "cvssData": {
          "accessComplexity": "MEDIUM",
          "accessVector": "NETWORK",
          "authentication": "SINGLE",
          "availabilityImpact": "NONE",
          "baseScore": 3.5,
          "confidentialityImpact": "NONE",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:M/Au:S/C:N/I:P/A:N",
          "version": "2.0"
        },
        "exploitabilityScore": 6.8,
        "impactScore": 2.9,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": true
      }
    ],
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 4.8,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "LOW",
          "integrityImpact": "LOW",
          "privilegesRequired": "HIGH",
          "scope": "CHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 1.7,
        "impactScore": 2.7,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2017-10-24T22:29:00.240",
  "references": [
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/101541"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keystonejs/keystone/issues/4437"
    },
    {
      "source": "cve@mitre.org",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keystonejs/keystone/pull/4478"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory",
        "VDB Entry"
      ],
      "url": "http://www.securityfocus.com/bid/101541"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keystonejs/keystone/issues/4437"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking",
        "Patch",
        "Third Party Advisory"
      ],
      "url": "https://github.com/keystonejs/keystone/pull/4478"
    }
  ],
  "sourceIdentifier": "cve@mitre.org",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-79"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

GHSA-7CV6-GVX3-M54M

Vulnerability from github – Published: 2017-11-16 01:47 – Updated: 2021-06-11 13:54

Summary

Cross-Site Scripting in keystone

Details

Versions of keystone prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.

Recommendation

Update to version 4.0.0 or later.

Severity ?

4.8 (Medium)


                  
                    CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 4.0.0-beta6"
      },
      "package": {
        "ecosystem": "npm",
        "name": "keystone"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "4.0.0-beta7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2017-15881"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2020-06-16T21:22:30Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "Versions of `keystone` prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim\u0027s browser. Exploiting this vulnerability requires having access to an admin account.\n\n\n## Recommendation\n\nUpdate to version 4.0.0 or later.",
  "id": "GHSA-7cv6-gvx3-m54m",
  "modified": "2021-06-11T13:54:39Z",
  "published": "2017-11-16T01:47:02Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2017-15881"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/issues/4437"
    },
    {
      "type": "WEB",
      "url": "https://github.com/keystonejs/keystone/pull/4478"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-7cv6-gvx3-m54m"
    },
    {
      "type": "WEB",
      "url": "https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf"
    },
    {
      "type": "WEB",
      "url": "https://www.npmjs.com/advisories/981"
    },
    {
      "type": "WEB",
      "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/101541"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Cross-Site Scripting in keystone"
}

CNVD-2017-32888

Vulnerability from cnvd - Published: 2017-11-07

Title

KeystoneJS跨站脚本漏洞（CNVD-2017-32888）

Description

KeystoneJS是一个开源的用于开发数据库驱动的网站、应用程序和API的框架。 KeystoneJS 4.0.0-beta.7之前的版本中存在跨站脚本漏洞。远程攻击者可借助‘content brief’或‘content extended’字段利用该漏洞注入任意的Web脚本或HTML。

Severity

中

Patch Name

KeystoneJS跨站脚本漏洞（CNVD-2017-32888）的补丁

Patch Description

KeystoneJS是一个开源的用于开发数据库驱动的网站、应用程序和API的框架。 KeystoneJS 4.0.0-beta.7之前的版本中存在跨站脚本漏洞。远程攻击者可借助‘content brief’或‘content extended’字段利用该漏洞注入任意的Web脚本或HTML。目前，供应商发布了安全公告及相关补丁信息，修复了此漏洞。

Formal description

厂商已发布漏洞修复程序，请及时关注更新： https://github.com/keystonejs/keystone/pull/4478

Reference

https://nvd.nist.gov/vuln/detail/CVE-2017-15881

Impacted products

Name
KeystoneJS KeystoneJS <4.0.0-beta.7

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "101541"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2017-15881"
    }
  },
  "description": "KeystoneJS\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u7528\u4e8e\u5f00\u53d1\u6570\u636e\u5e93\u9a71\u52a8\u7684\u7f51\u7ad9\u3001\u5e94\u7528\u7a0b\u5e8f\u548cAPI\u7684\u6846\u67b6\u3002\r\n\r\nKeystoneJS 4.0.0-beta.7\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018content brief\u2019\u6216\u2018content extended\u2019\u5b57\u6bb5\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684Web\u811a\u672c\u6216HTML\u3002",
  "discovererName": "Sandeep Kamble",
  "formalWay": "\u5382\u5546\u5df2\u53d1\u5e03\u6f0f\u6d1e\u4fee\u590d\u7a0b\u5e8f\uff0c\u8bf7\u53ca\u65f6\u5173\u6ce8\u66f4\u65b0\uff1a\r\nhttps://github.com/keystonejs/keystone/pull/4478",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2017-32888",
  "openTime": "2017-11-07",
  "patchDescription": "KeystoneJS\u662f\u4e00\u4e2a\u5f00\u6e90\u7684\u7528\u4e8e\u5f00\u53d1\u6570\u636e\u5e93\u9a71\u52a8\u7684\u7f51\u7ad9\u3001\u5e94\u7528\u7a0b\u5e8f\u548cAPI\u7684\u6846\u67b6\u3002\r\n\r\nKeystoneJS 4.0.0-beta.7\u4e4b\u524d\u7684\u7248\u672c\u4e2d\u5b58\u5728\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u3002\u8fdc\u7a0b\u653b\u51fb\u8005\u53ef\u501f\u52a9\u2018content brief\u2019\u6216\u2018content extended\u2019\u5b57\u6bb5\u5229\u7528\u8be5\u6f0f\u6d1e\u6ce8\u5165\u4efb\u610f\u7684Web\u811a\u672c\u6216HTML\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "KeystoneJS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2017-32888\uff09\u7684\u8865\u4e01",
  "products": {
    "product": "KeystoneJS KeystoneJS \u003c4.0.0-beta.7"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2017-15881",
  "serverity": "\u4e2d",
  "submitTime": "2017-10-25",
  "title": "KeystoneJS\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\uff08CNVD-2017-32888\uff09"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2017-15881 (GCVE-0-2017-15881)

GSD-2017-15881

FKIE_CVE-2017-15881

GHSA-7CV6-GVX3-M54M

Recommendation

CNVD-2017-32888

Tags

Sightings

Nomenclature