CVE-2022-0877 – ssddanbrown/bookstack

Package

Manager: composer
Name: ssddanbrown/bookstack
Vulnerable Version: >=0 <22.02.3

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

EPSS: 0.00298 pctl0.52687

Details

Cross-site Scripting in BookStack Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.

Metadata

Created: 2022-03-09T00:00:44Z
Modified: 2022-03-14T21:03:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-5rcc-6cmj-7728/GHSA-5rcc-6cmj-7728.json
CWE IDs: ["CWE-79"]
Alternative ID: GHSA-5rcc-6cmj-7728
Finding: F008
Auto approve: 1