What is CVE-2020-5256?

CVE-2020-5256 is a high-severity vulnerability in Bookstackapp Bookstack, classified under Eval Injection. CVSS score: 7.9/10. Published 2020-03-09.

How severe is CVE-2020-5256?

High severity. CVSS v3 base score is 7.9 out of 10.

Is CVE-2020-5256 known to be exploited?

2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

RCE in Bookstackapp Bookstack

CVE-2020-5256

BookStack before version 0.25.5 has a vulnerability where a user could upload PHP files through image upload functions, which would allow them to execute code on the host system remotely. They would then have the permissions of the PHP pro…

EPSS: 0.007 (71.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.9 (High). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:L.

Affected products

Bookstackapp Bookstack — versions < 0.25.5

Weakness classification (CWE)

CWE-95 — Eval Injection

Public proof-of-concept exploits

References

github.com/BookStackApp/BookStack/security/advisories/GHSA-g9rq-x4fj-f5hx (x_refsource_CONFIRM)
github.com/BookStackApp/BookStack/releases/tag/v0.25.3 (x_refsource_MISC)
github.com/BookStackApp/BookStack/releases/tag/v0.25.4 (x_refsource_MISC)
github.com/BookStackApp/BookStack/releases/tag/v0.25.5 (x_refsource_MISC)

Frequently asked questions

What is CVE-2020-5256?: CVE-2020-5256 is a high-severity vulnerability in Bookstackapp Bookstack, classified under Eval Injection. CVSS score: 7.9/10. Published 2020-03-09.
How severe is CVE-2020-5256?: High severity. CVSS v3 base score is 7.9 out of 10.
Is CVE-2020-5256 known to be exploited?: 2 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.