CVE-2022-0877
published 2022-03-08CVE-2022-0877: Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3.
PriorityP424medium5.4CVSS 3.1
AVNACLPRLUIRSCCLILAN
EPSS
0.77%
51.0th percentile
Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| bookstackapp | bookstack | < 22.02.3 | 22.02.3 |
| bookstackapp | bookstackapp_bookstack | >= unspecified < v22.02.3 | v22.02.3 |
| ssddanbrown | bookstack | >= 0 < 22.02.3 | 22.02.3 |
CVSS provenance
nvdv3.15.4MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
nvdv3.07.6HIGHCVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:L/A:H
nvdv2.03.5LOWAV:N/AC:M/Au:S/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Cross-site Scripting in BookStack
ghsa·2022-03-09
CVE-2022-0877 [MEDIUM] CWE-79 Cross-site Scripting in BookStack
Cross-site Scripting in BookStack
Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.
OSV
Cross-site Scripting in BookStack
osv·2022-03-09
CVE-2022-0877 [MEDIUM] Cross-site Scripting in BookStack
Cross-site Scripting in BookStack
Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/bookstackapp/bookstack/commit/856fca8289b7370cafa033ea21c408e7d4303fd6https://huntr.dev/bounties/b04df4e3-ae5a-4dc6-81ec-496248b15f3chttps://github.com/bookstackapp/bookstack/commit/856fca8289b7370cafa033ea21c408e7d4303fd6https://huntr.dev/bounties/b04df4e3-ae5a-4dc6-81ec-496248b15f3c
2022-03-08
Published