U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

Search Results (Refine Search)

Search Parameters:
  • Results Type: Overview
  • Keyword (text search): cpe:2.3:a:bookstackapp:bookstack:0.7.1:*:*:*:*:*:*:*
  • CPE Name Search: true
There are 18 matching records.
Displaying matches 1 through 18.
Vuln ID Summary CVSS Severity
CVE-2023-4624

Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08.

Published: August 30, 2023; 9:15:15 AM -0400
V3.1: 2.4 LOW
V2.0:(not available)
CVE-2022-40690

Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script.

Published: October 24, 2022; 10:15:52 AM -0400
V3.1: 5.4 MEDIUM
V2.0:(not available)
CVE-2022-0877

Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3.

Published: March 08, 2022; 8:15:08 AM -0500
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-4194

bookstack is vulnerable to Improper Access Control

Published: January 06, 2022; 1:15:07 PM -0500
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-4119

bookstack is vulnerable to Improper Access Control

Published: December 15, 2021; 3:15:08 PM -0500
V3.1: 9.8 CRITICAL
V2.0: 7.5 HIGH
CVE-2021-3944

bookstack is vulnerable to Cross-Site Request Forgery (CSRF)

Published: December 02, 2021; 12:15:08 PM -0500
V3.1: 6.8 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-4026

bookstack is vulnerable to Improper Access Control

Published: November 30, 2021; 3:15:07 PM -0500
V3.1: 4.3 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-3915

bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type

Published: November 13, 2021; 5:15:07 AM -0500
V3.1: 5.7 MEDIUM
V2.0: 3.5 LOW
CVE-2021-3916

bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Published: November 05, 2021; 11:15:07 AM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-3906

bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type

Published: October 27, 2021; 6:15:07 PM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-3874

bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Published: October 15, 2021; 10:15:07 AM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2021-3768

bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: September 06, 2021; 8:15:08 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-3767

bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Published: September 06, 2021; 8:15:08 AM -0400
V3.1: 5.4 MEDIUM
V2.0: 3.5 LOW
CVE-2021-3758

bookstack is vulnerable to Server-Side Request Forgery (SSRF)

Published: September 02, 2021; 8:15:07 AM -0400
V3.1: 6.5 MEDIUM
V2.0: 4.0 MEDIUM
CVE-2020-26260

BookStack is a platform for storing and organising information and documentation. In BookStack before version 0.30.5, a user with permissions to edit a page could set certain image URL's to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. The issue was addressed in BookStack v0.30.5. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade.

Published: December 09, 2020; 12:15:30 PM -0500
V3.1: 6.4 MEDIUM
V2.0: 5.5 MEDIUM
CVE-2020-26211

In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of `javascript:` URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed before being displayed on a page. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround without upgrading, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in BookStack version 0.30.4.

Published: November 03, 2020; 4:15:12 PM -0500
V3.1: 8.7 HIGH
V2.0: 3.5 LOW
CVE-2020-26210

In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content may remain in the database after this update. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability. The issue is fixed in version 0.30.4.

Published: November 03, 2020; 2:15:13 PM -0500
V3.1: 8.7 HIGH
V2.0: 3.5 LOW
CVE-2020-5256

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avoid this vulnerability.

Published: March 09, 2020; 12:15:15 PM -0400
V3.1: 8.8 HIGH
V2.0: 9.0 HIGH