CVE-2017-16019

Vulnerability

GitBook versions prior to 3.2.2 contain a stored cross-site scripting (XSS) vulnerability. An attacker can include arbitrary HTML or JavaScript code outside of backticks in any ebook content. This code is then executed in the context of the victim's browser when the book is viewed on the GitBook online reader [1][2].

Exploitation

The attacker needs the ability to author or modify ebook content (e.g., via a repository push or pull request). No special authentication beyond normal contributor access is required. The exploitation step is simply placing malicious code (e.g., ``) outside of Markdown code fences in the book source. When a reader opens that page on the online reader, the script executes [1][2].

Impact

Successful exploitation results in stored cross-site scripting (XSS) within the online reader. An attacker can execute arbitrary JavaScript in the context of the reader's session, potentially allowing theft of cookies, session tokens, or other sensitive data, or performing actions on behalf of the victim within the GitBook platform [1][2].

Mitigation

The vulnerability is fixed in GitBook version 3.2.2 [1]. Users should upgrade to this version or later. No specific workaround is documented for older versions beyond ensuring that all user-provided content is properly sanitized or enclosed in backticks, but upgrading is the recommended course of action.