CVE-2017-15881

Name of the Vulnerable Software and Affected Versions KeystoneJS versions prior to 4.0.0

Description The issue allows remote authenticated administrators to inject arbitrary web script or HTML, specifically via the content brief or content extended field. This is a Cross-Site Scripting (XSS) issue where the package fails to properly encode rendered HTML on admin-created blog posts, enabling attackers to execute arbitrary JavaScript in the victim's browser. Exploitation requires access to an admin account.

Recommendations Update to version 4.0.0 or later.