Login Sign Up

CVE-2020-26210

7.7 HIGH
Cross-Site Scripting

📋 TL;DR

This vulnerability allows authenticated users with page edit permissions in BookStack to inject malicious JavaScript links into pages. When other users click these links, arbitrary code executes in their browser context. All BookStack instances running versions before 0.30.4 are affected.

💻 Affected Systems

Products:
  • BookStack
Versions: All versions before 0.30.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Requires user with page edit permissions to exploit. Dangerous content may persist in database even after upgrade.

📦 What is this software?

Bookstack by Bookstackapp

View all CVEs affecting Bookstack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could steal session cookies, perform actions as other users, redirect to phishing sites, or compromise user accounts through cross-site scripting attacks.

🟠

Likely Case

Malicious users with edit permissions could embed JavaScript that steals credentials or performs unauthorized actions when clicked by administrators or other users.

🟢

If Mitigated

With proper access controls limiting edit permissions to trusted users only, exploitation risk is reduced but not eliminated for existing malicious content.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated user with edit permissions. Proof of concept available in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.30.4

Vendor Advisory: https://github.com/BookStackApp/BookStack/security/advisories/GHSA-7p2j-4h6p-cq3h

Restart Required: Yes

Instructions:

1. Backup your BookStack instance and database. 2. Update to version 0.30.4 or later. 3. Run the SQL query from advisory to check for exploitation. 4. Restart the application.

🔧 Temporary Workarounds

Limit Edit Permissions

all

Restrict page edit permissions to only trusted users until patching is complete.

🧯 If You Can't Patch

  • Audit all pages for suspicious links and remove any malicious content
  • Implement strict Content Security Policy headers to mitigate XSS impact

🔍 How to Verify

Check if Vulnerable:

Check BookStack version. If below 0.30.4, you are vulnerable. Run SQL query from advisory to check for exploitation: SELECT * FROM page_revisions WHERE html LIKE '%javascript:%' OR html LIKE '%data:text/html%'

Check Version:

Check BookStack admin panel or view composer.json version

Verify Fix Applied:

Confirm version is 0.30.4 or higher. Test that JavaScript links in page attachments no longer execute.

📡 Detection & Monitoring

Log Indicators:

  • Unusual page edits by users with edit permissions
  • Multiple failed login attempts following page views

Network Indicators:

  • Outbound connections to suspicious domains after clicking BookStack links

SIEM Query:

source="bookstack" AND (event="page_edit" OR event="link_click") | stats count by user

📊 Metadata

CVE ID: CVE-2020-26210
CVSS v3 Score: 7.7 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N
CWE: CWE-79
Published: November 3, 2020
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-26210, you might also want to check these:

CVE-2021-39199 10.0

CVE-2021-39199 is a critical cross-site scripting (XSS) vulnerability in the remark-html Node.js lib...

Same vulnerability type (CWE-79)
CVE-2021-32671 10.0

This vulnerability in Flarum forum software allows attackers to inject malicious HTML/JavaScript int...

Same vulnerability type (CWE-79)
CVE-2021-32798 10.0

CVE-2021-32798 is a critical vulnerability in Jupyter Notebook that allows malicious notebook files ...

Same vulnerability type (CWE-79)