This patch release is related to security advisory CVE-2022-0087.
"@keystone-6/auth": "1.0.2"Security Advisory 🔒
This patch is relating to a security advisory that removes the capability for an attacker to exploit a reflected cross-site scripting vulnerability when using a previous version of the @keystone-6/auth package. The original security advisory is located here.
Impact
The vulnerability can impact users of the administration user interface when following an untrusted link to the signin or init page.
This is a targeted attack and may present itself in the form of phishing and or chained in conjunction with some other vulnerability.
Mitigation
Please upgrade to @keystone-6/auth >= 1.0.2 (this patch), where this vulnerability has been closed.
If you are using @keystone-next/auth, we strongly recommend you upgrade to @keystone-6.
Workarounds
If for some reason you cannot upgrade the dependencies in software, you could alternatively
- disable the administration user interface, or
- if using a reverse-proxy, strip query parameters when accessing the administration interface
References
https://owasp.org/www-community/attacks/xss/
Credits
Thanks to Shivansh Khari (@Shivansh-Khari) for discovering and reporting this vulnerability.
Enjoying Keystone?
Star this repo 🌟 ☝️ or connect to Keystone on Twitter and in Slack.
Changelog
You can also view the verbose changelog in the related PR (#7156) for this release.