BookStack Security Release v24.05.4

Dan Brown posted on the 29th of August 2024

BookStack v24.05.4 has been released.

This is a security release to address issues found in LDAP group syncing, where in certain scenarios a user could be matched to extra roles incorrectly, and an issue with content visibility in “book-show” API responses which would not have permissions applied properly.

Upgrade is strongly advised for instances where LDAP authentication is used with group syncing, or where the REST API is used to fetch contents of books (“books-read” endpoint).

Thanks to Linus Nagel and their team at WorkSimple GmbH for reporting this API vulnerability.

• Update instructions
• GitHub release page

Full List of Changes

• Updated API docs with consistent parameter types. (#5183)
• Updated default content iframe embed max-width to align with other content types. (#5130)
• Updated LDAP group sync to query via full DN.
• Updated translations with latest Crowdin changes. (#5118)
• Fixed books read API response not applying visibility control to chapter contents.
• Fixed API docs users response showing extra property. (#5178)
• Fixed database error thrown when using out dev docker setup. (#5124)
• Fixed RTL display issues with tasklist checkboxes. (#5134)

For More Information

If you have any questions or comments about this advisory:

• Open an issue in the BookStack GitHub repository.
• Ask on the BookStack Discord chat.
• Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Dietmar Rabich (CC-BY-SA 4.0) - Image Modified