ID NODEJS:159
Type nodejs
Reporter Björn Kimminich
Modified 2019-06-24T15:02:17
Description
Overview
Affected versions of gitbook do not properly sanitize user input outside of backticks, which may result in cross-site scripting in the online reader.
Recommendation
Update to version 3.2.2 or later.
References
{"id": "NODEJS:159", "type": "nodejs", "bulletinFamily": "software", "title": "Cross-Site Scripting", "description": "## Overview\n\nAffected versions of `gitbook` do not properly sanitize user input outside of backticks, which may result in cross-site scripting in the online reader.\n\n## Recommendation\n\nUpdate to version 3.2.2 or later.\n\n## References\n\n- [Issue #1609](https://github.com/GitbookIO/gitbook/issues/1609)", "published": "2016-11-28T16:06:21", "modified": "2019-06-24T15:02:17", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "href": "https://www.npmjs.com/advisories/159", "reporter": "Bj\u00f6rn Kimminich", "references": [], "cvelist": ["CVE-2017-16019"], "lastseen": "2020-09-29T11:10:49", "viewCount": 18, "enchantments": {"score": {"value": 5.8, "vector": "NONE", "modified": "2020-09-29T11:10:49", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2017-16019"]}, {"type": "github", "idList": ["GHSA-5H5R-23R4-M87H"]}], "modified": "2020-09-29T11:10:49", "rev": 2}, "vulnersScore": 5.8}, "affectedSoftware": [{"name": "gitbook", "operator": "lt", "version": "3.2.2"}]}
{"cve": [{"lastseen": "2020-12-09T20:13:25", "description": "GitBook is a command line tool (and Node.js library) for building beautiful books using GitHub/Git and Markdown (or AsciiDoc). Stored Cross-Site-Scripting (XSS) is possible in GitBook before 3.2.2 by including code outside of backticks in any ebook. This code will be executed on the online reader.", "edition": 6, "cvss3": {"exploitabilityScore": 2.8, "cvssV3": {"baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "attackComplexity": "LOW", "scope": "CHANGED", "attackVector": "NETWORK", "availabilityImpact": "NONE", "integrityImpact": "LOW", "baseScore": 6.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", "userInteraction": "REQUIRED", "version": "3.0"}, "impactScore": 2.7}, "published": "2018-06-04T19:29:00", "title": "CVE-2017-16019", "type": "cve", "cwe": ["CWE-79"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": true, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "NONE", "availabilityImpact": "NONE", "integrityImpact": "PARTIAL", "baseScore": 4.3, "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 2.9, "obtainUserPrivilege": false}, "cvelist": ["CVE-2017-16019"], "modified": "2019-10-09T23:24:00", "cpe": [], "id": "CVE-2017-16019", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16019", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}, "cpe23": []}], "github": [{"lastseen": "2021-01-08T03:27:24", "bulletinFamily": "software", "cvelist": ["CVE-2017-16019"], "description": "Affected versions of `gitbook` do not properly sanitize user input outside of backticks, which may result in cross-site scripting in the online reader.\n\n\n## Recommendation\n\nUpdate to version 3.2.2 or later.", "edition": 2, "modified": "2021-01-07T23:32:51", "published": "2020-09-01T16:04:39", "id": "GHSA-5H5R-23R4-M87H", "href": "https://github.com/advisories/GHSA-5h5r-23r4-m87h", "title": "Cross-Site Scripting in gitbook", "type": "github", "cvss": {"score": 4.3, "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N"}}]}
