Miggo Logo
Miggo Vulnerability Database
CVE-2024-36676

CVE-2024-36676:
BookStack Incorrect Access Control vulnerability

8.2

CVSS Score
3.1

Basic Information

CVE ID
CVE-2024-36676
GHSA ID
GHSA-pj36-fcrg-327j
EPSS Score
0.46485%
CWE
CWE-79
Published
7/10/2024
Updated
7/31/2024
KEV Status
No
Technology
TechnologyPHP

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
ssddanbrown/bookstackcomposer< 24.05.124.05.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from missing IP-based rate limiting on public authentication endpoints. The commit added 'throttle:public' middleware to these routes, and introduced random delays in password reset handling. The affected functions correspond to endpoints that: 1) Processed user-controlled input (emails) without request limits, enabling user enumeration via timing analysis or response differentiation 2) Allowed unlimited attempts to trigger email notifications, creating a DoS vector. The high confidence comes from explicit patch evidence showing these functions were secured with throttling and timing mitigations.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

In*orr**t ****ss *ontrol in *ookSt**k ***or* v**.**.* *llows *tt**k*rs to *on*irm *xistin* syst*m us*rs *n* p*r*orm t*r**t** noti*i**tion *m*il *oS vi* pu*li* ***in* *orms.

Reasoning

T** vuln*r**ility st*mm** *rom missin* IP-**s** r*t* limitin* on pu*li* *ut**nti**tion *n*points. T** *ommit ***** 't*rottl*:pu*li*' mi**l*w*r* to t**s* rout*s, *n* intro*u*** r*n*om **l*ys in p*sswor* r*s*t **n*lin*. T** *****t** *un*tions *orr*spon