BookStack Security Release v22.07.3
Dan Brown posted on the 11th of August 2022
BookStack v22.07.3 has been released. This is a security release that adds additional filtering to page content to prevent certain cross-site-scripting techniques. These cross-site-scripting techniques would be already by blocked by BookStack’s usage of Content-Security-Policy, but this change will help scenarios where BookStack content is used externally.
In addition, the API documentation has been updated with a section focused on content security to explain the security techniques BookStack uses by default, and to relay considerations for using BookStack content in an external system. The security page of our documentation has also been updated with such considerations:
Upgrade is advised where BookStack content, accessible to edit by untrusted users, is used externally. Those using BookStack content externally (API-based app developers) should read the new documentation and add any advised protections as necessary.
Thanks to the “JPCERT/CC Vulnerability Coordination Group” contact and the original reporter, Kenichi Okuno of Mitsui Bussan Secure Directions, Inc, for disclosing their report of the relevant vulnerability scenarios.
Full List of Changes
- Added API documentation section to advise of content security. (#3636)
- Updated Persian translations. Thanks to @samadha56. (#3639)
- Updated code block rendering to help prevent blank blocks on fresh cache. (#3637)
- Updated HTML filtering to prevent SVG animate case. (#3636)
- Updated translations with latest changes from Crowdin. (#3635)
- Updated revision list view to help prevent system memory exhaustion. (#3633)
- Fixed issue with permission checking prevent certain actions where permission should have allowed. (#3632)
For More Information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack security policy to contact someone privately.