CVE-2017-16570

Name of the Vulnerable Software and Affected Versions KeystoneJS versions prior to 4.0.0

Description The issue allows for application-wide CSRF bypass by removing the CSRF parameter and value. It fails to reject requests that lack an x-csrf-token header, which may allow attackers to carry actions on behalf of other users on all endpoints.

Recommendations Update to version 4.0.0 or later. As a temporary workaround, consider restricting access to all endpoints until a patch is available. Avoid using endpoints that do not require the X-CSRF-Token header until the issue is resolved.