CVE-2023-6199

MEDIUM

BookStack 23.10.2 - Server-Side Request Forgery via Local File Filtering

Title source: manual
STIX 2.1

Exploitation Summary

EIP tracks 2 public exploits for CVE-2023-6199. PoCs published by 4xura, AbdrrahimDahmani.

AI-analyzed exploit summary This repository contains a procedural-oriented Python PoC for exploiting PHP filter chain oracles to achieve arbitrary file read via SSRF, specifically targeting CVE-2023-6199 in BookStack. It includes scripts to customize and execute the exploit, along with PHP examples demonstrating filter chain manipulations.

Description

Book Stack version 23.10.2 allows filtering local files on the server. This is possible because the application is vulnerable to SSRF.

Exploits (2)

nomisec WORKING POC 2 stars
by 4xura · poc
https://github.com/4xura/php_filter_chain_oracle_poc

This repository contains a procedural-oriented Python PoC for exploiting PHP filter chain oracles to achieve arbitrary file read via SSRF, specifically targeting CVE-2023-6199 in BookStack. It includes scripts to customize and execute the exploit, along with PHP examples demonstrating filter chain manipulations.

Classification
Working Poc 95%
Attack Type
Ssrf
Complexity
Complex
Reliability
Reliable
Target: BookStack (CVE-2023-6199)
Auth required
Prerequisites: SSRF vulnerability in target application · Ability to send crafted HTTP requests · PHP filter chain support in the target environment
devstral-2 · analyzed Feb 16, 2026 Full analysis →
nomisec WORKING POC
by AbdrrahimDahmani · poc
https://github.com/AbdrrahimDahmani/php_filter_chains_oracle_exploit_for_CVE-2023-6199

This repository contains a Python-based exploit for CVE-2023-6199, leveraging PHP filter chains to read local files via an error-based oracle. It targets BookStack 23.10.2 by exploiting an SSRF vulnerability to leak file contents.

Classification
Working Poc 95%
Attack Type
Info Leak
Complexity
Complex
Reliability
Reliable
Target: BookStack 23.10.2
Auth required
Prerequisites: Valid session token · CSRF token · Access to vulnerable endpoint
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (2)

Core 2
Core References
Exploit, Third Party Advisory
https://fluidattacks.com/advisories/imagination/
Product, Release Notes, Vendor Advisory
https://www.bookstackapp.com/blog/bookstack-release-v23-10-3/

Scores

CVSS v3 6.5
EPSS 0.0138
EPSS Percentile 68.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE
CWE-918
Status published
Products (1)
bookstackapp/bookstack 23.10.2
Published Nov 20, 2023
Tracked Since Feb 18, 2026