BookStack Security Release v23.01.1

Dan Brown posted on the 2nd of February 2023

BookStack v23.01.1 has been released. This is a security release that addresses a potential vulnerability in PDF generation that could be used to make server-side requests or run potential other PHP code.

Upgrade is advised where untrusted users have permission to create page content in your instance.

From testing, it appears that successful exploitation of this would require either the disabling of BookStack default security options, or access to the host machine system, but out of caution we’re advising upgrade in any environment as specified above.

Full List of Changes

Updated pdf library to address vulnerability. (#4010)
Updated translations with latest Crowdin changes. (#4008)
Fixed missing default 180px icon. (#4006)

For More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by James Wainscoat on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts