漏洞标题
私有字段数据泄露
漏洞描述信息
私有字段数据泄露
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
漏洞类别
N/A
漏洞标题
Private Field data leak
漏洞描述信息
Keystone 5 is an open source CMS platform to build Node.js applications. This security advisory relates to a newly discovered capability in our query infrastructure to directly or indirectly expose the values of private fields, bypassing the configured access control. This is an access control related oracle attack in that the attack method guides an attacker during their attempt to reveal information they do not have access to. The complexity of completing the attack is limited by some length-dependent behaviors and the fidelity of the exposed information. Under some circumstances, field values or field value meta data can be determined, despite the field or list having `read` access control configured. If you use private fields or lists, you may be impacted. No patches exist at this time. There are no workarounds at this time
CVSS信息
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
漏洞类别
信息暴露
漏洞标题
Keystone-5 信息泄露漏洞
漏洞描述信息
Keystone-5是开源的一个可扩展的平台。用于快速创建高度自定义的CMS和API。是对KeystoneJS未来的完整重新构想。 Keystone-5 存在信息泄露漏洞,该漏洞可以直接或间接公开私有字段的值,绕过配置的访问控制。这是一种访问控制相关的oracle攻击,攻击者可利用该漏洞试图访问没有访问权限的信息。
CVSS信息
N/A
漏洞类别
信息泄露