CVE-2022-0877

MEDIUM5.4EPSS 0.31%

Cross-site Scripting in BookStack

Published: 3/9/2022Modified: 11/8/2023

Description

Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.

Affected packages (1)

Packagist/ssddanbrown/bookstackfrom 0, < 22.02.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0877
PATCHhttps://github.com/bookstackapp/bookstack
WEBhttps://github.com/bookstackapp/bookstack/commit/856fca8289b7370cafa033ea21c408e7d4303fd6
WEBhttps://huntr.dev/bounties/b04df4e3-ae5a-4dc6-81ec-496248b15f3c