Skip to content

BookStack v23.01.1
Compare
Choose a tag to compare
@ssddanbrown ssddanbrown released this 02 Feb 12:31
· 694 commits to development since this release
v23.01.1
This tag was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Learn about vigilant mode.
ce9b536
This commit was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Learn about vigilant mode.

Security Release

This is a security release that addresses a potential vulnerability in PDF generation that could be used to make server-side requests or run potential other PHP code.

Upgrade is advised where untrusted users have permission to create page content in your instance.

From testing, it appears that successful exploitation of this would require either the disabling of BookStack default security options, or access to the host machine system, but out of caution we're advising upgrade in any environment as specified above.

Full List of Changes

  • Updated pdf library to address vulnerability. (#4010)
  • Updated translations with latest Crowdin changes. (#4008)
  • Fixed missing default 180px icon. (#4006)
Assets 2