Vulnerability Description
mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which could allow an attacker to execute arbitrary JavaScript code on the page. The search feature of mdBook (introduced in version 0.1.4) was affected by a cross site scripting vulnerability that allowed an attacker to execute arbitrary JavaScript code on an user's browser by tricking the user into typing a malicious search query, or tricking the user into clicking a link to the search page with the malicious search query prefilled. mdBook 0.4.5 fixes the vulnerability by properly escaping the search query. Owners of websites built with mdBook have to upgrade to mdBook 0.4.5 or greater and rebuild their website contents with it.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rust-Lang | Mdbook | >= 0.1.4, < 0.4.5 |
Related Weaknesses (CWE)
References
- https://crates.io/crates/mdbookProductThird Party Advisory
- https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045Release NotesThird Party Advisory
- https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2PatchThird Party Advisory
- https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436MitigationThird Party Advisory
- https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0Mailing ListThird Party Advisory
- https://crates.io/crates/mdbookProductThird Party Advisory
- https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-045Release NotesThird Party Advisory
- https://github.com/rust-lang/mdBook/commit/32abeef088e98327ca0dfccdad92e84afa9d2PatchThird Party Advisory
- https://github.com/rust-lang/mdBook/security/advisories/GHSA-gx5w-rrhp-f436MitigationThird Party Advisory
- https://groups.google.com/g/rustlang-security-announcements/c/3-sO6of29O0Mailing ListThird Party Advisory
FAQ
What is CVE-2020-26297?
CVE-2020-26297 is a vulnerability with a CVSS score of 8.2 (HIGH). mdBook is a utility to create modern online books from Markdown files and is written in Rust. In mdBook before version 0.4.5, there is a vulnerability affecting the search feature of mdBook, which cou...
How severe is CVE-2020-26297?
CVE-2020-26297 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-26297?
Check the references section above for vendor advisories and patch information. Affected products include: Rust-Lang Mdbook.