BookStack Security Release v21.08.2

Dan Brown posted on the 4th of September 2021

BookStack v21.08.2 has been released. This security release is intended to cover a couple of XSS vulnerabilities, where a malicious user with page edit access could enter script that would execute upon page view. You should update as soon as possible if you allow untrusted users to edit content in your instance.

In addition, this releases expands the CSP headers set by BookStack to help avoid any similar vulnerabilities from being effective going forward. If you’ve performed some more advanced customizations on your instance, they may need to be altered to work with the built-in CSP system. Feel free to contact me via the channels listed below for any assistance on this.

For more information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack Security Advice to contact someone privately.

Header Image Credits: Photo by Debby Hudson on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts