BookStack Security Release v22.02.3

BookStack v22.02.3 has been released. This is a security release that adds better protections against embedded content that could be used in malicious ways. This effectively restricts embedded iframe content in an allow-list approach.

A new ALLOWED_IFRAME_SOURCES option has been added to provide configuration of allowed embed/iframe sources within BookStack pages, and this defaults to a couple of popular services such as YouTube and Vimeo.

Please see this link for more detail regarding this option:

It’s advised to upgrade as soon as possible if untrusted users can create or update pages within your BookStack instance.

Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via

Full List of Changes

  • Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. (#3314)
  • Updated translations with latest Crowdin changes. (#3312)

For More Information

If you have any questions or comments about this advisory:

Header Image Credits: Photo by Yudi M on Unsplash