BookStack Security Release v21.11.2

BookStack v21.11.2 has been released. This is a security release that address a couple of vulnerabilities relating to API access and page draft related content visibility:

  • If the “Public” role was provided API access then the API could be accessed, in certain scenarios, by non-authenticated users even if the “Allow public access” setting was disabled.
  • In some specific scenarios, content related to page drafts (Such as attachments) could be visible to non-owners (Whom would have permission to view the page if saved as a non-draft at that point).

It’s advised to upgrade as soon as possible if the API has been enabled for roles within your instance or if draft page content visibility could be a security concern for you.

Full List of Changes

  • Fixed issue with greater-than-expected visibility on page-draft-related items. Thanks @haxatron for reporting. (#3086)
  • Fixed issue where public API access was not limited by system public control in certain conditions. (#3091)
  • Updated translations from latest Crowdin changes. (#3076)

For More Information

If you have any questions or comments about this advisory:

Header Image Credits: Photo by Gina Neri on Unsplash