BookStack Security Release v21.10.3

Dan Brown posted on the 1st of November 2021

BookStack v21.10.3 has been released. This is a security release that address a couple of vulnerabilities within the attachment and image serving mechanisms. The attachment vulnerability could result in users uploading content to be served in a way that can be utilized for phishing. The image serving vulnerability could result in unintended file access within your BookStack storage folder.

If you allow untrusted users to login or upload attachments you should update as soon as possible.

Full List of Changes

Updated AzureAD login library to work with the new Microsoft Graph API. (#3028)
Fixed path image file path traversal vulnerability. Thanks @theworstcomrade for reporting. (#3030)
Prevented HTML attachments being served inline. Thanks @theworstcomrade for reporting. (#3027)
Updated translations from latest Crowdin changes. (#3023)

For More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Ugne Vasyliute on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts