Server Side Request Forgery in BookStack
CVE-2020-26260

6.4MEDIUM

Key Information:

Vendor

Bookstackapp

Status
Bookstack
Vendor
CVE Published:
9 December 2020

What is CVE-2020-26260?

BookStack is a platform for storing and organising information and documentation. In BookStack before version 0.30.5, a user with permissions to edit a page could set certain image URL's to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. The issue was addressed in BookStack v0.30.5. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

BookStack >= v0.7, < v0.30.5

References

https://github.com/BookStackApp/BookStack/security/adviso...
x_refsource_CONFIRM
https://bookstackapp.com/blog/beta-release-v0-30-5/
x_refsource_MISC
https://github.com/BookStackApp/BookStack/releases/tag/v0...
x_refsource_MISC

CVSS V3.1

Score:
6.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.