CVE-2022-0087

Name of the Vulnerable Software and Affected Versions keystone versions prior to 1.0.2

Description The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This can impact users of the administration user interface when following an untrusted link to the signin or init page. It is a targeted attack that may present itself in the form of phishing and can be chained with other vulnerabilities.

Recommendations For versions prior to 1.0.2, please upgrade to @keystone-6/auth >= 1.0.2 to resolve the issue. If upgrading is not possible, consider disabling the administration user interface as a temporary workaround. Alternatively, if using a reverse-proxy, strip query parameters when accessing the administration interface to minimize the risk of exploitation.