CVE-2020-26260

Опубликовано: 09 дек. 2020

Источник: nvd

CVSS3: 6.4

CVSS2: 5.5

EPSS Низкий

Описание

BookStack is a platform for storing and organising information and documentation. In BookStack before version 0.30.5, a user with permissions to edit a page could set certain image URL's to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. The issue was addressed in BookStack v0.30.5. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade.

Ссылки

https://bookstackapp.com/blog/beta-release-v0-30-5/
Vendor Advisory
https://github.com/BookStackApp/BookStack/releases/tag/v0.30.5
Release Notes
Third Party Advisory
https://github.com/BookStackApp/BookStack/security/advisories/GHSA-8wfc-w2r5-x7cr
Third Party Advisory
https://bookstackapp.com/blog/beta-release-v0-30-5/
Vendor Advisory
https://github.com/BookStackApp/BookStack/releases/tag/v0.30.5
Release Notes
Third Party Advisory
https://github.com/BookStackApp/BookStack/security/advisories/GHSA-8wfc-w2r5-x7cr
Third Party Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:bookstackapp:bookstack:*:*:*:*:*:*:*:*

Версия до 0.30.5 (исключая)

EPSS

Процентиль: 54%

0.00308

Низкий

6.4 Medium

CVSS3

5.5 Medium

CVSS2

Дефекты

CWE-74