{ "affected": [ { "database_specific": { "unresolved_ranges": [ { "events": [ { "introduced": "0" }, { "last_affected": "4.0.0-beta1" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "4.0.0-beta2" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "4.0.0-beta3" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "4.0.0-beta4" } ] }, { "events": [ { "introduced": "0" }, { "last_affected": "4.0.0-beta5" } ] } ] }, "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "0.3.22" }, { "introduced": "0" }, { "last_affected": "4.0.0-NA" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "16087418577d5e9d8f88dd78a4332b7053b2688d" }, { "introduced": "0" }, { "last_affected": "09685b8e0c50ae45ef43df60e3642064e6275734" } ], "repo": "https://github.com/keystonejs/keystone", "type": "GIT" } ] } ], "details": "Cross-Site Scripting vulnerability in KeystoneJS before 4.0.0-beta.7 allows remote authenticated administrators to inject arbitrary web script or HTML via the \"content brief\" or \"content extended\" field, a different vulnerability than CVE-2017-15878.", "id": "CVE-2017-15881", "modified": "2026-03-15T21:46:12.657219753Z", "published": "2017-10-24T22:29:00.240Z", "references": [ { "type": "ADVISORY", "url": "http://www.securityfocus.com/bid/101541" }, { "type": "REPORT", "url": "http://blog.securelayer7.net/keystonejs-open-source-penetration-testing-report/" }, { "type": "REPORT", "url": "https://github.com/keystonejs/keystone/issues/4437" }, { "type": "FIX", "url": "https://github.com/keystonejs/keystone/pull/4478" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N", "type": "CVSS_V3" } ] }