Lucene search

Japan Vulnerability NotesJVN:78862034

HistorySep 30, 2022 - 12:00 a.m.

JVN#78862034: BookStack vulnerable to cross-site scripting

2022-09-3000:00:00

Japan Vulnerability Notes

jvn.jp

bookstack

cross-site scripting

vulnerability

cwe-79

software update

api

web browser

CVSS3

5.4

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

EPSS

0.001

Percentile

37.9%

JSON

BookStack contains a cross-site scripting vulnerability (CWE-79).

Impact

An arbitrary script may be executed on the web browser of the user who is accessing the site using the API of the product.

Solution

Update the Software
Update the software to the latest version according to the information provided by the developer.

According to the developer, when using BookStack content via its API, it is necessary to check the following documentation and add the recommended protections as necessary.
<https://www.bookstackapp.com/docs/admin/security/#using-bookstack-content-externally>

Products Affected

BookStack versions prior to v22.09