CMS
apostrophecms/apostrophe
A full-featured, open-source content management framework built with Node.js that empowers organizations by combining in-context editing and headless architecture in a full-stack JS environment.
#cms#cms-framework#node#javascript#apostrophe#nodejs#node-js#jamstack#website-builder
スコア
90
/ 100
Star
4,557
Fork
629
Open Issue
121
サイズ
49MB
言語
JavaScript ★
最終push
0 日前
Docker
—
採点内訳
過去CVE 14件 (やや多い)
✓直近 push: 1 日前
✓得意言語 (JavaScript)
✓オープンissue 121件
✓中規模 (49MB)
✓Docker 未対応
—1k–10k: 初心者ベスト (★4,557)
✓※ 各項目の重みは「採点ルール」を参照。合計は 0 で底打ち。
過去の SecurityAdvisory (14 件)
- Authenticated SSRF in rich-text widget import via @apostrophecms/area/validate-widget
- Command Injection in apos create via Unsanitized Password Input (CWE-78)
- Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation in apostrophe
- Stored XSS via javascript: URL in Image Widget Link
- Default XSS via `xmp` raw-text passthrough in `sanitize-html`
- Stored Cross-Site Scripting via Unsanitized User Display Name in Draft Version Tooltip
- User Enumeration via Timing Side Channel in Password Reset Endpoint
- publicApiProjection Bypass via `project` Query Builder in Piece-Type REST API
- Stored XSS via CSS Custom Property Injection in `@apostrophecms/color-field` Escaping Style Tag Context
- sanitize-html allowedTags Bypass via Entity-Decoded Text in nonTextTags Elements
- Information Disclosure via `choices`/`counts` Query Parameters Bypassing publicApiProjection Field Restrictions
- Stored XSS in SEO Fields Leads to Authenticated API Data Exposure in ApostropheCMS
- MFA/TOTP Bypass via Incorrect MongoDB Query in Bearer Token Middleware
- Arbitrary File Write (Zip Slip / Path Traversal) in Import-Export Gzip Extraction