Impact

A user with permissions to edit a page could insert JavaScript code through the use of javascript: URIs within a link or form which would run, within the context of the current page, when clicked or submitted.

Additionally, a user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page.

Patches

The issue was addressed in BookStack v0.30.4.

Dangerous content may remain in the database but will be removed before being displayed on a page. If you think this could have been exploited you can search for potential cases with the following SQL commands:

select * from pages where html like '%javascript:%';
select * from pages where html like '%<meta%';

Workarounds

Page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability.

References

• BookStack Beta v0.30.4
• BookStack Blog Post

Attribution

• Thanks to @PercussiveElbow for the discovery, reporting, patching and testing of this issue.

For more information

If you have any questions or comments about this advisory:

• Open an issue in the BookStack GitHub repository.
• Ask on the BookStack Discord chat.
• Follow the BookStack Security Advice to contact someone privately.