Open Redirect

Affecting keystone package, versions >=0.2.7 <0.3.6

Do your applications use this vulnerable package? Test your applications

Overview

keystone is a Web Application Framework and Admin GUI / Content Management System built on Express.js and Mongoose. Affected versions of the package are vulnerable to Open redirection which occurs when a vulnerable web page is redirected to an untrusted and malicious page that may compromise the user. Open redirection attacks usually come with a phishing attack because the modified vulnerable link is identical to the original site, which increases the likelihood of success for the phishing attack.

Remediation

Upgrade keystone to version 0.3.6 or higher.

References

CVSS Score

6.5
medium severity
  • Attack Vector
    Network
  • Attack Complexity
    Low
  • Privileges Required
    None
  • User Interaction
    Required
  • Scope
    Unchanged
  • Confidentiality
    High
  • Integrity
    None
  • Availability
    None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Credit
Oliver Jenkins
CWE
CWE-601
Snyk ID
npm:keystone:20140316
Disclosed
15 Mar, 2014
Published
21 Mar, 2017