KeystoneJS 4.0.0-beta.5 - Cross-Site Scripting

EDB-ID:

43054




Platform:

NodeJS

Date:

2017-10-25


# Exploit Title: KeystoneJS 4.0.0-beta.5 Unauthenticated Stored XSS
# Vendor Homepage: http://keystonejs.com/
# Exploit Author: Ishaq Mohammed
# Contact: https://twitter.com/security_prince
# Website: https://about.me/security-prince
# Category: WEBAPPS
# Platform: Node.js
# CVE: CVE-2017-15878

Vendor Description:

KeystoneJS is a powerful Node.js content management system and web app
framework built on express and mongoose. Keystone makes it easy to create
sophisticated web sites and apps, and comes with a beautiful auto-generated
Admin UI.
Source: https://github.com/keystonejs/keystone/blob/master/README.md

Technical Details and Exploitation:

A cross-site scripting (XSS) vulnerability exists in
fields/types/markdown/MarkdownType.js in KeystoneJS before 4.0.0-beta.7 via
the Contact Us feature.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15878

Proof of Concept:

1. Navigate to Contact Us page
2. Fill in the details needed and enter the below payload in message field
and send
<a onmouseover=alert(document.cookie)>XSS link</a>
3. Now login as admin and navigate to the above new record created in the
enquiries
4. Move the cursor on the text “XSS link”

Solution:

The issues have been fixed and the vendor has released the patches

https://github.com/keystonejs/keystone/pull/4478/commits/5cb6405dfc0b6d59003c996f8a4aa35baa6b2bac

Reference:

https://github.com/keystonejs/keystone/pull/4478
https://securelayer7.net/download/pdf/KeystoneJS-Pentest-Report-SecureLayer7.pdf