Miggo Logo

CVE-2022-0877: Cross-site Scripting in BookStack

5.4

CVSS Score
3.1

Basic Information

EPSS Score
0.51315%
Published
3/9/2022
Updated
2/3/2023
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ssddanbrown/bookstackcomposer< 22.02.322.02.3

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing 'frame-src' CSP rules. The pre-patch CspService focused on 'frame-ancestors' (embedding protection) but didn't enforce allowed iframe content sources. The middleware then applied incomplete CSP headers. The absence of 'frame-src' allowed attackers to embed malicious iframes. The patch introduced getFrameSrc() in CspService and consolidated CSP headers to include this rule, demonstrating where the vulnerability existed.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

I*r*m* t**s *on't **v* * s*n**ox *ttri*ut*, t*is m*k*s *n *tt**k*r **l* to *x**ut* m*li*ious j*v*s*ript vi* *n i*r*m* *n* p*r*orm p*is*in* *tt**ks. T** s*n**ox *ttri*ut* will *lo*k s*ript *x**ution *n* pr*v*nts t** *ont*nt to n*vi**t* its top-l*v*l *

Reasoning

T** vuln*r**ility st*mm** *rom missin* '*r*m*-sr*' *SP rul*s. T** pr*-p*t** `*spS*rvi**` *o*us** on '*r*m*-*n**stors' (*m****in* prot**tion) *ut *i*n't *n*or** *llow** i*r*m* *ont*nt sour**s. T** mi**l*w*r* t**n *ppli** in*ompl*t* *SP *****rs. T** **