Report Submission Form
Hi,
I have recently found XSS vulnerability in mdBook (CVE-2020-26297), fixed and disclosed on 4th January 2020.
The details were published in a security advisory here: https://blog.rust-lang.org/2021/01/04/mdbook-security-advisory.html
I did a quick recon and found a couple of vulnerable endpoints:
… where the https://kubernetes-csi.github.io/docs/ is in scope. Update to the latest version and
I understand if this is not eligible for a bounty, as you didn’t have enough time to fix this. On the other hand, I decided to report it anyway, in case you missed it. And because I wasn’t able to find any info grading grace period for 0days or new CVEs in your policy.
Kind regards,
Kamil Vavra
@vavkamil
a) Payload used: x"->xss<img/src/onerror%3Dalert(1)>
b) PoC: https://kubernetes-csi.github.io/docs/?search=x"->xss<img/src/onerror%3Dalert(1)>
Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.
https://vulners.com/cve/CVE-2020-26297
I guess the impact here is minimal, so I submitted it with low severity.