BookStack Security Release v21.10.1

Dan Brown posted on the 27th of October 2021

BookStack v21.10.1 has been released. This is a security release that covers a vulnerability which would allow malicious users, who have permission to update or create pages, to upload content that could then be utilized for phishing or other general malicious intent.

If you allow untrusted users to edit page content you should update as soon as possible.

Thanks to @haxatron on huntr.dev for the discovery and reporting of this issue.

Full List of Changes

Fixed image upload vulnerability. Thanks to @haxatron (#3010)
Fixed capitalization for Estonian language option. Thanks to @IndrekHaav. (#3008)
Updated PHP packages to prevent abandoned warning. (#3007)
Updated translations with latest changes from Crowdin. (#3006)

For More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Muhammad Zaqy Al Fattah on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts