Cross-site Scripting (XSS) - Reflected in keystonejs/keystone

Valid

Reported on

Dec 30th 2021


Description

On Login Page, There Is A "from=" parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS.

Proof of Concept

  1. Install Keystone 6 On Your System.
  2. Go To http://localhost:3000/signin?from=http://evil.com And Login And You'll Be Redirected To evil.com.
  3. Go To http://localhost:3000/signin?from=javascript:alert(document.domain) And Login And After Login, You'll See Two Reflected XSS Pop Ups.

Impact

This vulnerability is capable of making users to redirect to any malicious website using open redirect and reflected XSS can help the attacker to fetch cookies and also for phishing.

Occurences

We are processing your report and will contact the keystonejs/keystone team within 24 hours. a month ago
We have contacted a member of the keystonejs/keystone team and are waiting to hear back a month ago
We have sent a follow up to the keystonejs/keystone team. We will try again in 7 days. 23 days ago
keystonejs/keystone maintainer validated this vulnerability 23 days ago
Shivansh Khari has been awarded the disclosure bounty
The fix bounty is now up for grabs
keystonejs/keystone maintainer
21 days ago

Maintainer


@shivansh-khari we are adding a security advisory and patch release to the GitHub repository soon (hopefully this week), are you OK with us crediting your listed GitHub account https://github.com/shivansh-khari for the CVE?

Shivansh Khari
21 days ago

Researcher


Yes Sure You Can Credit My This Github Account With CVE, It Would Be Great.

Thanks

Shivansh Khari
18 days ago

Researcher


@Maintainer Please Let Me Know When You Release A Patch And Credit My Account With CVE, Would Like To Validate The Patch And Help.

keystonejs/keystone maintainer
17 days ago

Maintainer


Intended release date for patch is today, we will credit your GitHub account

keystonejs/keystone maintainer
17 days ago

Maintainer


Published at https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82

Published @keystone-6/auth as 1.0.2

Shivansh Khari
16 days ago

Researcher


Thank You For The Credit, It Was Great Working To Help And Secure Keystone.

Shivansh Khari
16 days ago

Researcher


Also When Will The CVE Will Be Published?

keystonejs/keystone maintainer confirmed that a fix has been merged on 96bf83 16 days ago
The fix bounty has been dropped
index.ts#L117 has been validated
keystonejs/keystone maintainer
16 days ago

Maintainer


Could the description be updated to what is in https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82?

Shivansh Khari
16 days ago

Researcher


Can't Edit Now, I Guess.