Beta Security Release v0.29.3
Dan Brown posted on the 12th of May 2020
BookStack v0.29.3 has been released to address an issue that could expose the names of private/restricted books.
The name of a restricted book could be viewed by non-authorised users when the book was on a shelf, and the shelves were viewed in “List View”. This could expose book names to those that did not have permission to see them, when part of a shelf.
This has been patched in version v0.29.3.
Please update otherwise you could temporarily change the name of any private books to remove any sensitive content.
- Thanks to GitHub user Usinouv for discovering and reporting this issue.
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack Security Advice to contact someone privately.
Header Image Credits: Shogo Narita