CSRF Bypass Vulnerability in KeystoneJS Framework by Getkeystone
CVE-2017-16570

8.8HIGH

Key Information:

Vendor

Keystonejs

Status
Keystone
Vendor
CVE Published:
6 November 2017

What is CVE-2017-16570?

The vulnerability in KeystoneJS allows attackers to bypass Cross-Site Request Forgery (CSRF) protection by omitting the necessary x-csrf-token header. This flaw enables unauthorized requests, potentially leading to unauthorized actions within affected applications. Prior to version 4.0.0-beta.7, KeystoneJS did not adequately enforce CSRF token verification, posing security risks for developers relying on this framework.

References

http://blog.securelayer7.net/keystonejs-open-source-penet...
x_refsource_MISC
https://github.com/keystonejs/keystone/issues/4437
x_refsource_MISC
https://github.com/keystonejs/keystone/pull/4478
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.