BookStack Security Release v23.10.3

Dan Brown posted on the 20th of November 2023

BookStack v23.10.3 has been released. This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system. Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

Updated thumbnail handling to for use of content as image data. (#4681)

For More Information

If you have any questions or comments about this advisory:

Open an issue in the BookStack GitHub repository.
Ask on the BookStack Discord chat.
Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Mitchell Orr on Unsplash

Want to let me know what you think of BookStack or this post?
You can find me on Mastodon @danb@fosstodon.org or on the BookStack Discord server.

Subscribe to Updates

There are two lists you can sign-up to for updates, A general news & updates list, sent on a weekly basis, and a security alerts list that's sent when new security updates are available.

News and Updates | Security Alerts