BookStack Security Release v23.10.3
Dan Brown posted on the 20th of November 2023
BookStack v23.10.3 has been released. This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system. Additionally, this update addresses a lack of permission check in some image creation actions.
Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.
Full List of Changes
- Updated thumbnail handling to for use of content as image data. (#4681)
For More Information
If you have any questions or comments about this advisory:
- Open an issue in the BookStack GitHub repository.
- Ask on the BookStack Discord chat.
- Follow the BookStack security policy to contact someone privately.