composer

BookStack Incorrect Access Control vulnerability

High severity GitHub Reviewed Published Jul 10, 2024 to the GitHub Advisory Database • Updated Jul 11, 2024

Package

ssddanbrown/bookstack (Composer)

Affected versions

< 24.05.1

Patched versions

24.05.1

Description

Incorrect access control in BookStack before v24.05.1 allows attackers to confirm existing system users and perform targeted notification email DoS via public facing forms.

References

https://nvd.nist.gov/vuln/detail/CVE-2024-36676
BookStackApp/BookStack#4993
https://github.com/BookStackApp/BookStack/releases/tag/v24.05.1
https://www.bookstackapp.com/blog/bookstack-release-v24-05-1
BookStackApp/BookStack@69af9e0

Published by the National Vulnerability Database

Jul 9, 2024

Published to the GitHub Advisory Database Jul 10, 2024

Reviewed Jul 10, 2024

Last updated Jul 11, 2024

Severity

High

8.2

/ 10

CVSS base metrics

Attack vector

Network

Attack complexity

Low

Privileges required

None

User interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

High

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

BookStack Incorrect Access Control vulnerability

Package

Affected versions

Patched versions

Description

References

Severity

CVSS base metrics

Weaknesses

CVE ID

GHSA ID

Source code