彙總 bookstackapp 相關全部產品的 CVE 與安全漏洞情報,包括 CVSS、EPSS、公開時間與漏洞情報資料。
常見弱點模式包括 跨站腳本、SSRF、路徑處理缺陷與CSRF,在 生產負載與軟體部署 使用場景中可能帶來 工作階段劫持與檔案覆寫 等風險。
相關漏洞資料主要來源於公開漏洞披露與安全公告,可用於評估歷史漏洞暴露面與修補優先順序。
| CVE | 摘要 | 來源 | 最高 CVSS | EPSS % | 公開時間 | 更新時間 |
|---|---|---|---|---|---|---|
| CVE-2023-6199 | Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF. | [email protected] | 6.5 | 13.38% | 2023-11-20 | 2025-05-19 |
| CVE-2023-4624 | Server-Side Request Forgery (SSRF) in GitHub repository bookstackapp/bookstack prior to v23.08. | [email protected] | 2.4 | 0.48% | 2023-08-30 | 2024-11-21 |
| CVE-2022-40690 | Cross-site scripting vulnerability in BookStack versions prior to v22.09 allows a remote authenticated attacker to inject an arbitrary script. | [email protected] | 5.4 | 0.37% | 2022-10-24 | 2025-05-07 |
| CVE-2022-0877 | Cross-site Scripting (XSS) - Stored in GitHub repository bookstackapp/bookstack prior to v22.02.3. | [email protected] | 5.4 | 0.28% | 2022-03-08 | 2024-11-21 |
| CVE-2021-4194 | bookstack is vulnerable to Improper Access Control | [email protected] | 6.5 | 0.15% | 2022-01-06 | 2024-11-21 |
| CVE-2021-4119 | bookstack is vulnerable to Improper Access Control | [email protected] | 9.8 | 0.43% | 2021-12-15 | 2024-11-21 |
| CVE-2021-3944 | bookstack is vulnerable to Cross-Site Request Forgery (CSRF) | [email protected] | 6.8 | 0.09% | 2021-12-02 | 2024-11-21 |
| CVE-2021-4026 | bookstack is vulnerable to Improper Access Control | [email protected] | 4.3 | 0.20% | 2021-11-30 | 2024-11-21 |
| CVE-2021-3915 | bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | [email protected] | 5.7 | 0.32% | 2021-11-13 | 2024-11-21 |
| CVE-2021-3916 | bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | [email protected] | 6.5 | 0.35% | 2021-11-05 | 2024-11-21 |
| CVE-2021-3906 | bookstack is vulnerable to Unrestricted Upload of File with Dangerous Type | [email protected] | 6.5 | 0.22% | 2021-10-27 | 2024-11-21 |
| CVE-2021-3874 | bookstack is vulnerable to Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | [email protected] | 6.5 | 0.36% | 2021-10-15 | 2024-11-21 |
| CVE-2021-3768 | bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 5.4 | 0.18% | 2021-09-06 | 2024-11-21 |
| CVE-2021-3767 | bookstack is vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | [email protected] | 5.4 | 0.26% | 2021-09-06 | 2024-11-21 |
| CVE-2021-3758 | bookstack is vulnerable to Server-Side Request Forgery (SSRF) | [email protected] | 6.5 | 0.18% | 2021-09-02 | 2024-11-21 |
| CVE-2020-26260 | BookStack is a platform for storing and organising information and documentation. In BookStack before version 0.30.5, a user with permissions to edit a page could set certain image URL's to manipulate functionality in the exporting system, which would allow them to make server side requests and/or have access to a wider scope of files within the BookStack file storage locations. The issue was addressed in BookStack v0.30.5. As a workaround, page edit permissions could be limited to only those th | [email protected] | 6.4 | 0.31% | 2020-12-09 | 2024-11-21 |
| CVE-2020-26211 | In BookStack before version 0.30.4, a user with permissions to edit a page could insert JavaScript code through the use of `javascript:` URIs within a link or form which would run, within the context of the current page, when clicked or submitted. Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page. Dangerous content may remain in the database but will be removed befo | [email protected] | 7.7 | 0.43% | 2020-11-03 | 2024-11-21 |
| CVE-2020-26210 | In BookStack before version 0.30.4, a user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page. Dangerous content may remain in the database after this update. If you think this could have been exploited the linked advisory provides a SQL query to test. As a workaround, page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploit | [email protected] | 7.7 | 0.43% | 2020-11-03 | 2024-11-21 |
| CVE-2020-11055 | In BookStack greater than or equal to 0.18.0 and less than 0.29.2, there is an XSS vulnerability in comment creation. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines. This most impacts scenarios where not-trusted users are given permission to create commen | [email protected] | 6.3 | 0.39% | 2020-05-07 | 2024-11-21 |
| CVE-2020-5256 | BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP process. This most impacts scenarios where non-trusted users are given permission to upload images in any area of the application. The issue was addressed in a series of patches in versions 0.25.3, 0.25.4 and 0.25.5. Users should upgrade to at least v0.25.5 to avo | [email protected] | 7.9 | 0.68% | 2020-03-09 | 2024-11-21 |