Skip to content

BookStack Beta v0.25.3
Compare
Choose a tag to compare
@ssddanbrown ssddanbrown released this 21 Mar 00:09
v0.25.3
This tag was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Learn about vigilant mode.
119b539
This commit was signed with the committer’s verified signature.
ssddanbrown Dan Brown
GPG key ID: 46D9F943C24A2EF9
Learn about vigilant mode.

Security Release

This release patches a security vulnerability that allowed PHP files to be uploaded via image upload endpoints. The PHP files could then be called externally to perform malicious activity.

This is particularly an issue in environments where untrusted users have the necessary permissions to upload images.

Please consider that malicious exploitation of this vulnerability may have allowed access to other files on your server that the PHP process has access to, Including your BookStack .env file, so consider updating any passwords or keys if you think this had a possibility of being exploited on your instance.

It is advised you update your BookStack instance as soon as possible.

Assets 2
Loading