Lucene search

@huntrdevCVELIST:CVE-2021-3767

HistorySep 06, 2021 - 11:17 a.m.

CVE-2021-3767 Cross-site Scripting (XSS) - Stored in bookstackapp/bookstack

2021-09-0611:17:17

CWE-79

@huntrdev

www.cve.org

cve-2021-3767

cross-site scripting

stored

web page generation

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)

CNA Affected

[
  {
    "product": "bookstackapp/bookstack",
    "vendor": "bookstackapp",
    "versions": [
      {
        "lessThan": "21.08.2",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      }
    ]
  }
]

References

github.com/bookstackapp/bookstack/commit/040997fdc4414776bcac06a3cbaac3b26b5e8a64

huntr.dev/bounties/7ec92c85-30eb-4071-8891-6183446ca980

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

EPSS

0.001

Percentile

21.4%

JSON

Related for CVELIST:CVE-2021-3767