Beta Security Release v0.29.3

Dan Brown posted on the 12th of May 2020

BookStack v0.29.3 has been released to address an issue that could expose the names of private/restricted books.

Impact

The name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in “List View”. This could expose book names to those that did not have permission to see them, when part of a shelf.

Patches

This has been patched in version v0.29.3.

Workarounds

Please update otherwise you could temporarily change the name of any private books to remove any sensitive content.

References

Attribution

Thanks to GitHub user Usinouv for discovering and reporting this issue.

More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Shogo Narita

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts