BookStack Security Release v21.12.1

Dan Brown posted on the 6th of January 2022

BookStack v21.12.1 has been released. This is a security release that better enforces permissions on book-sort & chapter-move operations to address scenarios where content could be moved to non-permissible locations.

It’s advised to upgrade as soon as possible if untrusted users can update books or chapters in your BookStack instance.

• Update instructions
• GitHub release page

Thanks again to @haxatron for discovering and reporting this vulnerability via huntr.dev.

Full List of Changes

• Added timeout and debugging statuses to webhooks. (#3139)
• Added new webhook_call_before logical theme system event hook. (#3138)
• Updated support for APNG images to retain animation. (#3136)
• Updated book sort and chapter move handling to enforce more permissions. (#3134)
• Updated item-search/select box to autofocus on search field. (#3127)
• Updated webhooks to not stop application on endpoint call failure. (#3122)
• Updated translations with latest Crowdin changes. (#3117)
• Fixed webhooks list view issue where columns would become to narrow. (#3135)
• Fixed linked images showing small in PDF export. (#3120)
• Fixed issue where pasting certain code blocks would cause erratic editor behavior. (#3133)

For More Information

If you have any questions or comments about this advisory:

• Open an issue in the BookStack GitHub repository.
• Ask on the BookStack Discord chat.
• Follow the BookStack security policy to contact someone privately.

Header Image Credits: Photo by Jornada Produtora on Unsplash