PT-2022-13494 · Bookstack · Bookstack

Published

2022-03-08

Updated

2022-03-11

CVE-2022-0877

CVSS v3.1

7.6

High

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H

Name of the Vulnerable Software and Affected Versions bookstack versions prior to 22.02.3

Description The issue is related to Cross-site Scripting (XSS) - Stored, where an attacker can execute malicious javascript via an iframe and perform phishing attacks. This is due to the lack of a sandbox attribute in iframe tags, which allows script execution and navigation of the top-level browsing context. The sandbox attribute would block script execution and prevent such attacks.

Recommendations For versions prior to 22.02.3, update to version 22.02.3 or later to resolve the issue. As a temporary workaround, consider adding a sandbox attribute to iframe tags to block script execution and prevent navigation of the top-level browsing context. Restrict access to iframes from untrusted sources to minimize the risk of exploitation.

Exploit

Fix

XSS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-79

Related Identifiers

CVE-2022-0877

GHSA-5RCC-6CMJ-7728

Affected Products

Bookstack

PT-2022-13494 · Bookstack · Bookstack

CVE-2022-0877

Weakness Enumeration

Related Identifiers

Affected Products

References · 10