SB2018060420 - Cross-site scripting in GitBook GitBook
Published: June 4, 2018 Updated: July 17, 2020
Security Bulletin ID
SB2018060420
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Cross-site scripting (CVE-ID: CVE-2017-16019)
The vulnerability allows a remote non-authenticated attacker to read and manipulate data.
GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.
Remediation
Install update from vendor's website.