CVE-2023-34247

Published: Jun 13, 2023

Modified: Jan 3, 2025

PUBLISHED

CVSS v3.1

6.1

MEDIUM

Description

Keystone is a content management system for Node.JS. There is an open redirect in the `@keystone-6/auth` package versions 7.0.0 and prior, where the redirect leading `/` filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location. To mitigate this issue, one may apply a patch from pull request 8626 or avoid using the `@keystone-6/auth` package.

Vendor	Product	Versions
keystonejs	keystone	affected `<= 7.0.0`

Weaknesses (CWE)

CWE-601

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

Low

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

References

https://github.com/keystonejs/keystone/security/advisories/GHSA-jqxr-vjvv-899m

x_refsource_CONFIRM

https://github.com/keystonejs/keystone/pull/8626

x_refsource_MISC

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Start Training

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.

Scan Now

CVE-2023-34247

Description

Affected Products

Weaknesses (CWE)

CVSS v3.1 Details

References