Keystone-6 Auth vulnerabilities
2 known vulnerabilities affecting keystone-6/auth.
Total CVEs
2
CISA KEV
0
Public exploits
1
Exploited in wild
0
Severity breakdown
HIGH1MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2022-0087P3HIGHPoC≥ 0, < 1.0.22022-01-12
CVE-2022-0087 [HIGH] CWE-79 Reflected cross-site scripting (XSS) vulnerability
Reflected cross-site scripting (XSS) vulnerability
This security advisory relates to a capability for an attacker to exploit a reflected cross-site scripting vulnerability when using the `@keystone-6/auth` package.
#### Impact
The vulnerability can impact users of the administration user interface when following an untrusted link to the `signin` or `init` page.
This is a targeted attack and may present itself in the
ghsaosv
CVE-2023-34247P4MEDIUMCVSS 6.1≥ 0, < 7.0.02023-06-14
CVE-2023-34247 [MEDIUM] CWE-601 @keystone-6/auth Open Redirect vulnerability
@keystone-6/auth Open Redirect vulnerability
### Summary
There is an open redirect in the `@keystone-6/auth` package, where the redirect leading `/` filter can be bypassed.
### Impact
Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location.
### Mitigations
- Don't use the `@keystone-6/auth` package
### References
- [CWE-601:
ghsaosv