CVE-2022-0877

MEDIUM5.4EPSS 0.31%

Cross-site Scripting in BookStack

發布日:2022/3/9修改日:2023/11/8

描述

Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.

受影響套件(1)

Packagist/ssddanbrown/bookstackfrom 0, < 22.02.3

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM5.4	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2022-0877
PATCHhttps://github.com/bookstackapp/bookstack
WEBhttps://github.com/bookstackapp/bookstack/commit/856fca8289b7370cafa033ea21c408e7d4303fd6
WEBhttps://huntr.dev/bounties/b04df4e3-ae5a-4dc6-81ec-496248b15f3c