Lucene search
GoogleOSV:GHSA-9C5C-5J4H-8Q2CHistoryDec 16, 2021 - 7:40 p.m.
BookStack is vulnerable to Improper Access Control.
2021-12-1619:40:26
Google
osv.dev
9
bookstack
improper access control
data exposure
usernames
email security
vulnerability
EPSS
0.002
Percentile
61.7%
BookStack prior to version 21.11.3 is vulnerable to Improper Access Control. A logged-in user with no privileges OR guest user (if public access enabled) can access the /search/users/select AJAX endpoint meant for admins to manage audit logs, to dump all usernames existing in the Bookstack database. This can also be used to harvest email belonging to a user because BookStack also uses the code where(email, like, % . $search . %) to search for users based on email.
Related
cnvd
cnvd
BookStack Access Control Error Vulnerability (CNVD-2021-103513)
2021-12-17 00:00:00
veracode
veracode
Improper Access Control
2021-12-17 06:54:15
osv
osv
CVE-2021-4119
2021-12-15 20:15:08
nvd
nvd
CVE-2021-4119
2021-12-15 20:15:08
cvelist
cvelist
CVE-2021-4119 Improper Access Control in bookstackapp/bookstack
2021-12-15 17:25:10
github
github
BookStack is vulnerable to Improper Access Control.
2021-12-16 19:40:26
checkpoint_advisories
checkpoint_advisories
BookStackApp BookStack Improper Access Control (CVE-2021-4119)
2022-09-04 00:00:00
prion
prion
Improper access control
2021-12-15 20:15:00
huntr
huntr
Improper Access Control in bookstackapp/bookstack
2021-12-11 15:45:29
cve
cve
CVE-2021-4119
2021-12-15 20:15:08