BookStack Security Release v22.02.3
Dan Brown posted on the 7th of March 2022
BookStack v22.02.3 has been released. This is a security release that adds better protections against embedded content that could be used in malicious ways. This effectively restricts embedded iframe content in an allow-list approach.
ALLOWED_IFRAME_SOURCES option has been added to provide configuration of
allowed embed/iframe sources within BookStack pages, and this defaults to a couple
of popular services such as YouTube and Vimeo.
Please see this link for more detail regarding this option:
- (“Iframe Source Control” section)
It’s advised to upgrade as soon as possible if untrusted users can create or update pages within your BookStack instance.
Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev.
Full List of Changes
- Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. (#3314)
- Updated translations with latest Crowdin changes. (#3312)
For More Information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack security policy to contact someone privately.