Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
cveGitHub_MCVE-2020-26211
HistoryNov 03, 2020 - 9:15 p.m.

CVE-2020-26211

2020-11-0321:15:12
CWE-79
GitHub_M
web.nvd.nist.gov
32
bookstack
cve-2020-26211
security vulnerability
javascript execution
silent redirection
sql injection
upgrade recommendatio

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

39.6%

JSON

In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed before being displayed on a page. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround without upgrading, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in BookStack version 0.30.4.

Affected configurations

Nvd
Vulners
Node
bookstackappbookstackRange<0.30.4
VendorProductVersionCPE
bookstackappbookstack*cpe:2.3:a:bookstackapp:bookstack:*:*:*:*:*:*:*:*

CNA Affected

[
  {
    "product": "BookStack",
    "vendor": "BookStackApp",
    "versions": [
      {
        "status": "affected",
        "version": "< 0.30.4"
      }
    ]
  }
]

Related

nvd 1
prion 1
osv 2
github 1
cvelist 1
nvd
nvd
CVE-2020-26211
2020-11-03 21:15:12
prion
prion
Code injection
2020-11-03 21:15:00
osv
osv
Bookstack Cross-site Scripting vulnerability
2022-05-24 17:32:59
CVE-2020-26211
2020-11-03 21:15:12
github
github
Bookstack Cross-site Scripting vulnerability
2022-05-24 17:32:59
cvelist
cvelist
CVE-2020-26211 Cross-Site Scripting in BookStack
2020-11-03 21:00:18

CVSS2

3.5

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

NONE

Integrity Impact

PARTIAL

Availability Impact

NONE

AV:N/AC:M/Au:S/C:N/I:P/A:N

CVSS3

8.7

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

AI Score

8.4

Confidence

High

EPSS

0.001

Percentile

39.6%

JSON
Related for CVE-2020-26211
nvd1prion1osv2github1cvelist1