BookStack Security Release v23.10.3

BookStack v23.10.3 has been released. This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system. Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

  • Updated thumbnail handling to for use of content as image data. (#4681)

For More Information

If you have any questions or comments about this advisory:

Header Image Credits: Photo by Mitchell Orr on Unsplash