CVE-2020-5256: Malicious File Upload
First published: Mon Mar 09 2020(Updated: )
BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.
Credit: security-advisories@github.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Bookstackapp Bookstack | <0.25.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2020-5256?
CVE-2020-5256 is a vulnerability in BookStack before version 0.25.5 that allows users to upload PHP files through image upload functions, enabling them to execute remote code on the host system.
What is the severity of CVE-2020-5256?
CVE-2020-5256 has a severity rating of critical with a CVSS score of 8.8.
How does CVE-2020-5256 impact non-trusted users?
CVE-2020-5256 most impacts scenarios where non-trusted users are present, as they have the potential to execute malicious code on the host system.
What is the affected software version for CVE-2020-5256?
BookStack versions up to and excluding 0.25.3 are affected by CVE-2020-5256.
How can I mitigate CVE-2020-5256?
To mitigate CVE-2020-5256, it is recommended to update BookStack to version 0.25.5 or above.
- collector/nvd-index
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/type
- agent/tags
- agent/event
- agent/last-modified-date
- vendor/bookstackapp
- canonical/bookstackapp bookstack