Vulnerability Description
BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Bookstackapp | Bookstack | < 0.25.3 |
Related Weaknesses (CWE)
References
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3Release Notes
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4Release Notes
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5Release Notes
- https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hThird Party Advisory
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.3Release Notes
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.4Release Notes
- https://github.com/BookStackApp/BookStack/releases/tag/v0.25.5Release Notes
- https://github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hThird Party Advisory
FAQ
What is CVE-2020-5256?
CVE-2020-5256 is a vulnerability with a CVSS score of 7.9 (HIGH). BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would t...
How severe is CVE-2020-5256?
CVE-2020-5256 has been rated HIGH with a CVSS base score of 7.9/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-5256?
Check the references section above for vendor advisories and patch information. Affected products include: Bookstackapp Bookstack.