Cross-Site Scripting in keystone
Moderate severity
GitHub Reviewed
Published
Nov 16, 2017
to the GitHub Advisory Database
•
Updated Jan 9, 2023
Description
Published to the GitHub Advisory Database
Nov 16, 2017
Reviewed
Jun 16, 2020
Last updated
Jan 9, 2023
Versions of
keystone
prior to 4.0.0 are vulnerable to Cross-Site Scripting (XSS). The package fails to properly encode rendered HTML on admin-created blog posts. This allows attackers to execute arbitrary JavaScript in the victim's browser. Exploiting this vulnerability requires having access to an admin account.Recommendation
Update to version 4.0.0 or later.
References