Beta Security Release v0.30.4
Dan Brown posted on the 31st of October 2020
XSS and user-injected auto-redirect vulnerabilities have been found within the page content & attachment components of BookStack which BookStack v0.30.4 looks to address. These are primarily a concern if untrusted users can edit content on your BookStack instance.
A user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page.
The issues were addressed in BookStack v0.30.4.
Dangerous content may remain in the database. The in-page vulnerabilities will be removed before being displayed on a page but dangerous attachment content will remain if exploited. If you think this could have been exploited you can search for potential cases with the following SQL commands:
Page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability.
- BookStack Beta v0.30.4
- GitHub Security Page - XSS/Redirect in Page Content
- GitHub Security Page - XSS in Page Attachment
- Thanks to @PercussiveElbow for the discovery, reporting, patching and testing of the page-content vulnerabilities.
- Thanks to Yassine ABOUKIR (https://twitter.com/yassineaboukir/) for the discovery and reporting of the page attachment vulnerability.
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack Security Advice to contact someone privately.