8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26211

GHSA ID

GHSA-ch37-ch8w-cfrq

EPSS Score

0.61833%

CWE

CWE-79

Published

5/24/2022

Updated

7/20/2023

KEV Status

Technology

PHP

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-26211

CVE-2020-26211: Bookstack Cross-site Scripting vulnerability

In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed before being displayed on a page. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround without upgrading, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in BookStack version 0.30.4.

(GitHub Advisory)

8.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-26211

GHSA ID

GHSA-ch37-ch8w-cfrq

EPSS Score

0.61833%

CWE

CWE-79

Published

5/24/2022

Updated

7/20/2023

KEV Status

Technology

PHP

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
ssddanbrown/bookstack	composer	< 0.30.4	0.30.4

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from insufficient HTML sanitization in the escapeScripts method. The GitHub patch adds specific XPath queries to remove dangerous elements (links with javascript: URIs, forms with javascript: actions, and redirect meta tags), which were previously not sanitized. The test cases in PageContentTest.php demonstrate these were exploitable vectors pre-patch. Since escapeScripts is the primary HTML sanitization function called during page rendering, its lack of these specific sanitization steps directly enabled the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ookSt**k ***or* v*rsion *.**.*, * us*r wit* p*rmissions to **it * p*** *oul* ins*rt J*v*S*ript *o** t*rou** t** us* o* `j*v*s*ript:` URIs wit*in * link or *orm w*i** woul* run, wit*in t** *ont*xt o* t** *urr*nt p***, w**n *li*k** or su*mitt**. **

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *TML s*nitiz*tion in t** `*s**p*S*ripts` m*t*o*. T** *it*u* p*t** ***s sp**i*i* XP*t* qu*ri*s to r*mov* **n**rous *l*m*nts (links wit* `j*v*s*ript:` URIs, *orms wit* `j*v*s*ript:` **tions, *n* r**ir**t m*t* t

8.7

Basic Information

Concerned about an active attack path?

CVE-2020-26211: Bookstack Cross-site Scripting vulnerability

8.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI