CVE-2020-26211

Name of the Vulnerable Software and Affected Versions BookStack versions prior to 0.30.4

Description A user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed before being displayed on a page. If the issue could have been exploited, a SQL query can be used to test.

Recommendations For versions prior to 0.30.4, upgrade to BookStack version 0.30.4 to fix the issue. As a temporary workaround without upgrading, limit page edit permissions to only those that are trusted until you can upgrade, although this will not address existing exploitation of this issue.