Miggo Logo

CVE-2020-26211: Bookstack Cross-site Scripting vulnerability

8.7

CVSS Score
3.1

Basic Information

EPSS Score
0.61833%
Published
5/24/2022
Updated
7/20/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ssddanbrown/bookstackcomposer< 0.30.40.30.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from insufficient HTML sanitization in the escapeScripts method. The GitHub patch adds specific XPath queries to remove dangerous elements (links with javascript: URIs, forms with javascript: actions, and redirect meta tags), which were previously not sanitized. The test cases in PageContentTest.php demonstrate these were exploitable vectors pre-patch. Since escapeScripts is the primary HTML sanitization function called during page rendering, its lack of these specific sanitization steps directly enabled the vulnerability.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In *ookSt**k ***or* v*rsion *.**.*, * us*r wit* p*rmissions to **it * p*** *oul* ins*rt J*v*S*ript *o** t*rou** t** us* o* `j*v*s*ript:` URIs wit*in * link or *orm w*i** woul* run, wit*in t** *ont*xt o* t** *urr*nt p***, w**n *li*k** or su*mitt**. **

Reasoning

T** vuln*r**ility st*ms *rom insu**i*i*nt *TML s*nitiz*tion in t** `*s**p*S*ripts` m*t*o*. T** *it*u* p*t** ***s sp**i*i* XP*t* qu*ri*s to r*mov* **n**rous *l*m*nts (links wit* `j*v*s*ript:` URIs, *orms wit* `j*v*s*ript:` **tions, *n* r**ir**t m*t* t