CVE-2020-26210: XSS
First published: Tue Nov 03 2020(Updated: )
In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content may remain in the database after this update. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in version 0.30.4.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bookstackapp Bookstack | <0.30.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-26210?
CVE-2020-26210 is a vulnerability in BookStack before version 0.30.4 that allows a user to add an attached link which can execute untrusted JavaScript code when clicked by a viewer of the page.
What is the severity of CVE-2020-26210?
CVE-2020-26210 has a severity rating of 8.7 which is considered high.
How can CVE-2020-26210 be exploited?
CVE-2020-26210 can be exploited by a user with edit permissions who adds an attached link containing malicious JavaScript code.
What is the affected software for CVE-2020-26210?
The affected software for CVE-2020-26210 is BookStack before version 0.30.4.
How can I fix CVE-2020-26210?
To fix CVE-2020-26210, update BookStack to version 0.30.4 or later.
- collector/nvd-index
- vendor/bookstackapp
- canonical/bookstackapp bookstack