CVE-2023-34247 MEDIUM

CVE-2023-34247: @keystone-6/auth Open Redirect vulnerability

Vendor Keystonejs
Product keystone
Weakness CWE-601 · Open redirect
Published June 13, 2023
Last update January 3, 2025

CVSS base score

6.1/10
Attack vector Adjacent
Attack complexity Low
Privileges required Low
User interaction Required
Confidentiality None
Integrity High

CVSS vector

CVSS:3.1/AV:A/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:N

What the vulnerability does

01Description

Keystone is a content management system for Node.JS. There is an open redirect in the `@keystone-6/auth` package versions 7.0.0 and prior, where the redirect leading `/` filter can be bypassed. Users may be redirected to domains other than the relative host, thereby it might be used by attackers to re-direct users to an unexpected location. To mitigate this issue, one may apply a patch from pull request 8626 or avoid using the `@keystone-6/auth` package.

Key dates

02Disclosure timeline

June 13, 2023 CVE published
January 3, 2025 Record updated