Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2ZjctcTg3aC1wZzZ3

Cross-Site Scripting in BookStack

Impact

A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines.

This most impacts scenarios where not-trusted users are given permission to create comments.

Patches

The issue was addressed in BookStack v0.29.2.

After upgrading, The command php artisan bookstack:regenerate-comment-content should be ran to remove any pre-existing dangerous content.

Workarounds

Comments can be disabled in the system settings to prevent them being shown to users. Alternatively, comment creation permissions can be altered as required to only those who are trusted but this will not address existing exploitation of this vulnerability.

References

For more information

If you have any questions or comments about this advisory:

Permalink: https://github.com/advisories/GHSA-5vf7-q87h-pg6w
JSON: https://advisories.ecosyste.ms/api/v1/advisories/MDE2OlNlY3VyaXR5QWR2aXNvcnlHSFNBLTV2ZjctcTg3aC1wZzZ3
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 4 years ago
Updated: almost 2 years ago


CVSS Score: 6.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Identifiers: GHSA-5vf7-q87h-pg6w, CVE-2020-11055
References: Repository: https://github.com/BookStackApp/BookStack
Blast Radius: 1.0

Affected Packages

packagist:ssddanbrown/bookstack
Dependent packages: 0
Dependent repositories: 0
Downloads: 116 total
Affected Version Ranges: >= 0.18.0, < 0.29.2
Fixed in: 0.29.2
All affected versions: 0.18.0, 0.18.1, 0.18.2, 0.18.3, 0.18.4, 0.18.5, 0.19.0, 0.20.0, 0.20.1, 0.20.2, 0.20.3, 0.21.0, 0.22.0, 0.23.0, 0.23.1, 0.23.2, 0.24.0, 0.24.1, 0.24.2, 0.24.3, 0.25.0, 0.25.1, 0.25.2, 0.25.3, 0.25.4, 0.25.5, 0.26.0, 0.26.1, 0.26.2, 0.26.3, 0.26.4, 0.27.1, 0.27.2, 0.27.3, 0.27.4, 0.27.5, 0.28.0, 0.28.1, 0.28.2, 0.28.3, 0.29.0, 0.29.1
All unaffected versions: 0.5.0, 0.6.0, 0.6.1, 0.6.2, 0.6.3, 0.7.0, 0.7.2, 0.7.3, 0.7.4, 0.7.6, 0.8.0, 0.8.1, 0.8.2, 0.9.0, 0.9.1, 0.9.2, 0.9.3, 0.10.0, 0.11.0, 0.11.1, 0.11.2, 0.12.0, 0.12.1, 0.12.2, 0.13.0, 0.13.1, 0.14.0, 0.14.1, 0.14.2, 0.14.3, 0.15.0, 0.15.1, 0.15.2, 0.15.3, 0.16.0, 0.16.1, 0.16.2, 0.16.3, 0.17.0, 0.17.1, 0.17.2, 0.17.3, 0.17.4, 0.29.2, 0.29.3, 0.30.0, 0.30.1, 0.30.2, 0.30.3, 0.30.4, 0.30.5, 0.30.6, 0.30.7, 0.31.0, 0.31.1, 0.31.2, 0.31.3, 0.31.4, 0.31.5, 0.31.6, 0.31.7, 0.31.8, 21.4.1, 21.4.2, 21.4.3, 21.4.4, 21.4.5, 21.4.6, 21.5.1, 21.5.2, 21.5.3, 21.5.4, 21.8.1, 21.8.2, 21.8.3, 21.8.4, 21.8.5, 21.8.6, 21.10.1, 21.10.2, 21.10.3, 21.11.1, 21.11.2, 21.11.3, 21.12.1, 21.12.2, 21.12.3, 21.12.4, 21.12.5, 22.2.1, 22.2.2, 22.2.3, 22.3.1, 22.4.1, 22.4.2, 22.6.1, 22.6.2, 22.7.1, 22.7.2, 22.7.3, 22.9.1, 22.10.1, 22.10.2, 22.11.1, 23.1.1, 23.2.1, 23.2.2, 23.2.3, 23.5.1, 23.5.2, 23.6.1, 23.6.2, 23.8.1, 23.8.2, 23.8.3, 23.10.1, 23.10.2, 23.10.3, 23.10.4, 23.12.1, 23.12.2, 23.12.3, 24.2.1, 24.2.2, 24.2.3, 24.5.1, 24.5.2, 24.5.3, 24.5.4