Skip to content

BookStack v23.10.3
Compare
Choose a tag to compare
@ssddanbrown ssddanbrown released this 20 Nov 14:16
· 449 commits to development since this release
v23.10.3
This tag was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Learn about vigilant mode.
8744eb2

Security Release

This is a security release that addresses a vulnerability in image handling which could be exploited to perform server-side requests or read the contents of files on the server system.
Additionally, this update addresses a lack of permission check in some image creation actions.

Upgrade is strongly advised where untrusted users have permission to create/edit/update page content in your instance.

Thanks to Carlos Bello from the Fluid Attacks Research Team for discovering and reporting this vulnerability.

Full List of Changes

  • Updated thumbnail handling to for use of content as image data. (#4681)
Assets 2
Loading