Beta Security Release v0.30.6

Dan Brown posted on the 17th of December 2020

BookStack v0.30.6 has been released to address an issue that could lead to restricted page content being visible in certain circumstances. You should upgrade to this released as soon as possible if you make use of page-level permissions at all.

Impact

If a chapter was visible to a user, but all of its pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted.

Patches

This has been patched in v0.30.6.

Workarounds

Please update. As a temporary workaround you could ensure that there is at least one other page within a chapter that’s visible to users.

References

Attribution

A big thanks to @cdrfun for discovering and reporting this issue.

For more information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Photo by Waldemar Brandt on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts