BookStack Security Release v21.12.1
Dan Brown posted on the 6th of January 2022
BookStack v21.12.1 has been released. This is a security release that better enforces permissions on book-sort & chapter-move operations to address scenarios where content could be moved to non-permissible locations.
It’s advised to upgrade as soon as possible if untrusted users can update books or chapters in your BookStack instance.
Thanks again to @haxatron for discovering and reporting this vulnerability via huntr.dev.
Full List of Changes
- Added timeout and debugging statuses to webhooks. (#3139)
- Added new webhook_call_before logical theme system event hook. (#3138)
- Updated support for APNG images to retain animation. (#3136)
- Updated book sort and chapter move handling to enforce more permissions. (#3134)
- Updated item-search/select box to autofocus on search field. (#3127)
- Updated webhooks to not stop application on endpoint call failure. (#3122)
- Updated translations with latest Crowdin changes. (#3117)
- Fixed webhooks list view issue where columns would become to narrow. (#3135)
- Fixed linked images showing small in PDF export. (#3120)
- Fixed issue where pasting certain code blocks would cause erratic editor behavior. (#3133)
For More Information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack security policy to contact someone privately.