CVE-2020-26210 — HIGH (7.7)

Q: How severe is CVE-2020-26210?

CVE-2020-26210 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2020-26210?

Check the references section above for vendor advisories and patch information. Affected products include: Bookstackapp Bookstack.

Vulnerability Description

In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content may remain in the database after this update. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in version 0.30.4.

CVSS Score

7.7

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

REQUIRED

Scope

CHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

NONE

Affected Products

Vendor	Product	Versions
Bookstackapp	Bookstack	< 0.30.4

Related Weaknesses (CWE)

CWE-79

References

https://bookstackapp.com/blog/beta-release-v0-30-4/ExploitPatchVendor Advisory
https://github.com/BookStackApp/BookStack/commit/349162ea139556b2d25e09e155cec84PatchThird Party Advisory
https://github.com/BookStackApp/BookStack/releases/tag/v0.30.4Third Party Advisory
https://github.com/BookStackApp/BookStack/security/advisories/GHSA-7p2j-4h6p-cq3ExploitThird Party Advisory
https://bookstackapp.com/blog/beta-release-v0-30-4/ExploitPatchVendor Advisory
https://github.com/BookStackApp/BookStack/commit/349162ea139556b2d25e09e155cec84PatchThird Party Advisory
https://github.com/BookStackApp/BookStack/releases/tag/v0.30.4Third Party Advisory
https://github.com/BookStackApp/BookStack/security/advisories/GHSA-7p2j-4h6p-cq3ExploitThird Party Advisory

FAQ

What is CVE-2020-26210?

CVE-2020-26210 is a vulnerability with a CVSS score of 7.7 (HIGH). In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous cont...

How severe is CVE-2020-26210?

CVE-2020-26210 has been rated HIGH with a CVSS base score of 7.7/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2020-26210?

Check the references section above for vendor advisories and patch information. Affected products include: Bookstackapp Bookstack.