CVE-2023-34247
6.1
CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N
Summary
Keystone is a content management system for Node.JS. There is an open redirect in the @keystone-6/auth package versions 7.0.0 and prior, where the redirect leading / filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location. To mitigate this issue, one may apply a patch from pull request 8626 or avoid using the @keystone-6/auth package.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| keystonejs | keystone | <= 7.0.0 | affected |
Weaknesses
- CWE-601: CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
ADP Enrichment
CVE Program Container
Additional References
- https://github.com/keystonejs/keystone/security/advisories/GHSA-jqxr-vjvv-899m
- https://github.com/keystonejs/keystone/pull/8626
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/keystonejs/keystone/security/advisories/GHSA-jqxr-vjvv-899m
- https://github.com/keystonejs/keystone/pull/8626
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.