Cross-site Scripting (XSS) - Reflected in keystonejs/keystone
Reported on
Dec 30th 2021
Description
On Login Page, There Is A "from=" parameter in URL which is vulnerable to open redirect and which can be escalated to reflected XSS.
Proof of Concept
- Install Keystone 6 On Your System.
- Go To http://localhost:3000/signin?from=http://evil.com And Login And You'll Be Redirected To evil.com.
- Go To http://localhost:3000/signin?from=javascript:alert(document.domain) And Login And After Login, You'll See Two Reflected XSS Pop Ups.
Impact
This vulnerability is capable of making users to redirect to any malicious website using open redirect and reflected XSS can help the attacker to fetch cookies and also for phishing.
Occurrences
@shivansh-khari we are adding a security advisory and patch release to the GitHub repository soon (hopefully this week), are you OK with us crediting your listed GitHub account https://github.com/shivansh-khari for the CVE?
Yes Sure You Can Credit My This Github Account With CVE, It Would Be Great.
Thanks
@Maintainer Please Let Me Know When You Release A Patch And Credit My Account With CVE, Would Like To Validate The Patch And Help.
Intended release date for patch is today, we will credit your GitHub account
Published at https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82
Published @keystone-6/auth as 1.0.2
Thank You For The Credit, It Was Great Working To Help And Secure Keystone.
Could the description be updated to what is in https://github.com/keystonejs/keystone/security/advisories/GHSA-hrgx-7j6v-xj82?
