GHSA-5rcc-6cmj-7728

Source

https://github.com/advisories/GHSA-5rcc-6cmj-7728

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-5rcc-6cmj-7728/GHSA-5rcc-6cmj-7728.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-5rcc-6cmj-7728

Aliases

CVE-2022-0877

Published

2022-03-09T00:00:44Z

Modified

2023-11-08T04:07:41.697904Z

Severity

5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N CVSS Calculator

Summary

Cross-site Scripting in BookStack

Details

Iframe tags don't have a sandbox attribute, this makes an attacker able to execute malicious javascript via an iframe and perform phishing attacks. The sandbox attribute will block script execution and prevents the content to navigate its top-level browsing context which will stop this type of attack.

Database specific

{
    "nvd_published_at": "2022-03-08T13:15:00Z",
    "github_reviewed_at": "2022-03-09T18:24:00Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-79"
    ]
}

References

Affected packages

Packagist / ssddanbrown/bookstack

Package

Name: ssddanbrown/bookstack
Purl: pkg:composer/ssddanbrown/bookstack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

22.02.3

Affected versions

V0.*

V0.7.5

v0.*

v0.5.0

v0.6.0

v0.6.1

v0.6.2

v0.6.3

v0.7.0

v0.7.3

v0.7.4

v0.7.6

v0.8.0

v0.8.1

v0.8.2

v0.9.0

v0.9.1

v0.9.2

v0.9.3

v0.10.0

v0.11.0

v0.11.1

v0.11.2

v0.12.0

v0.12.1

v0.12.2

v0.13.0

v0.13.1

v0.14.0

v0.14.1

v0.14.2

v0.14.3

v0.15.0

v0.15.1

v0.15.2

v0.15.3

v0.16.0

v0.16.1

v0.16.2

v0.16.3

v0.17.0

v0.17.1

v0.17.2

v0.17.3

v0.17.4

v0.18.0

v0.18.1

v0.18.2

v0.18.3

v0.18.4

v0.18.5

v0.19.0

v0.20.0

v0.20.1

v0.20.2

v0.20.3

v0.21.0

v0.22.0

v0.23.0

v0.23.1

v0.23.2

v0.24.0

v0.24.1

v0.24.2

v0.24.3

v0.25.0

v0.25.1

v0.25.2

v0.25.3

v0.25.4

v0.25.5

v0.26.0

v0.26.1

v0.26.2

v0.26.3

v0.26.4

v0.27

v0.27.1

v0.27.2

v0.27.3

v0.27.4

v0.27.5

v0.28.0

v0.28.1

v0.28.2

v0.28.3

v0.29.0

v0.29.1

v0.29.2

v0.29.3

v0.30.0

v0.30.1

v0.30.2

v0.30.3

v0.30.4

v0.30.5

v0.30.6

v0.30.7

v0.31.0

v0.31.1

v0.31.2

v0.31.3

v0.31.4

v0.31.5

v0.31.6

v0.31.7

v0.31.8

0.*

0.7.2

v21.*

v21.04

v21.04.1

v21.04.2

v21.04.3

v21.04.4

v21.04.5

v21.04.6

v21.05

v21.05.1

v21.05.2

v21.05.3

v21.05.4

v21.08

v21.08.1

v21.08.2

v21.08.3

v21.08.4

v21.08.5

v21.08.6

v21.10

v21.10.1

v21.10.2

v21.10.3

v21.11

v21.11.1

v21.11.2

v21.11.3

v21.12

v21.12.1

v21.12.2

v21.12.3

v21.12.4

v21.12.5

v22.*

v22.02

v22.02.1

v22.02.2