Beta Security Release v0.30.6
Dan Brown posted on the 17th of December 2020
BookStack v0.30.6 has been released to address an issue that could lead to restricted page content being visible in certain circumstances. You should upgrade to this released as soon as possible if you make use of page-level permissions at all.
If a chapter was visible to a user, but all of its pages were made not visible, then the details of these pages could be visible. Within the BookStack interface, the names of the pages and preview content could be seen. If the parent book was exported then this would include the content of the pages that had been restricted.
This has been patched in v0.30.6.
Please update. As a temporary workaround you could ensure that there is at least one other page within a chapter that’s visible to users.
A big thanks to @cdrfun for discovering and reporting this issue.
For more information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack Security Advice to contact someone privately.
Header Image Credits: Photo by Waldemar Brandt on Unsplash