cbcvebase.
CVE-2022-0087
published 2022-01-12

CVE-2022-0087: keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

PriorityP336medium6.1CVSS 3.1
AVNACLPRNUIRSCCLILAN
EXPLOIT
EPSS
2.60%
83.4th percentile
keystone is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Affected

4 ranges
VendorProductVersion rangeFixed in
keystone-6auth>= 0 < 1.0.21.0.2
keystone-nextauth0 – 37.0.0
keystonejskeystone< 1.0.21.0.2
keystonejskeystonejs_keystone>= unspecified < @keystone-6/[email protected]@keystone-6/[email protected]

Detection & IOCsextracted from sources · hover to see the quote

url{{BaseURL}}/signin?from=https://interact.sh
url{{BaseURL}}/signin?from=javascript:alert(document.cookie)
  • Detect open redirect exploitation: look for HTTP response header 'Location: https://interact.sh' following a request to /signin?from= parameter
  • Detect reflected XSS exploitation: look for 'alert(document.cookie)' reflected in the HTTP response body from the /signin?from= parameter
  • The vulnerable endpoint is the login page at /signin with the 'from=' URL parameter, which is susceptible to both open redirect and reflected XSS
  • Monitor GET requests to /signin?from= containing javascript: URI scheme payloads as an indicator of XSS exploitation attempts
  • ·Vulnerability is fixed in @keystone-6/auth >= 1.0.2; detections targeting this CVE are only relevant against unpatched instances running versions below this threshold
  • ·The nuclei template uses two separate matchers (AND condition): one checks the response header for the redirect Location, the other checks the response body for the XSS payload reflection — both must match for a confirmed positive

CVSS provenance

nvdv3.16.1MEDIUMCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.1HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.