]> BookStack Code Mirror - website/blob - content/blog/security-release-v21-10-3.md
projects / website / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Update filesystem-permissions.md
[website] / content / blog / security-release-v21-10-3.md
1 +++
2 categories = ["Releases"]
3 tags = ["Releases"]
4 title = "BookStack Security Release v21.10.3"
5 date = 2021-11-01T12:00:00Z
6 author = "Dan Brown"
7 image = "/images/blog-cover-images/path-ugne-vasyliute.jpg"
8 slug = "bookstack-release-v21-10-3"
9 draft = false
10 +++
11
12 BookStack v21.10.3 has been released.
13 This is a security release that address a couple of vulnerabilities within the attachment and image
14 serving mechanisms. The attachment vulnerability could result in users uploading content to be served
15 in a way that can be utilized for phishing. The image serving vulnerability could result in unintended
16 file access within your BookStack storage folder.
17
18 If you allow untrusted users to login or upload attachments you should update as soon as possible.
19
20 * [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
21 * [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v21.10.3)
22
23
24 ### Full List of Changes
25
26 * Updated AzureAD login library to work with the new Microsoft Graph API. ([#3028](https://github.com/BookStackApp/BookStack/issues/3028))
27 * Fixed path image file path traversal vulnerability. Thanks @theworstcomrade for reporting. ([#3030](https://github.com/BookStackApp/BookStack/issues/3030))
28 * Prevented HTML attachments being served inline. Thanks @theworstcomrade for reporting. ([#3027](https://github.com/BookStackApp/BookStack/issues/3027))
29 * Updated translations from latest Crowdin changes. ([#3023](https://github.com/BookStackApp/BookStack/pull/3023))
30
31 ### For More Information
32
33 If you have any questions or comments about this advisory:
34 * Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
35 * Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
36 * Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.
37
38 ----
39
40 <span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@ugnehenriko?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Ugne Vasyliute</a> on <a href="https://unsplash.com/?utm_source=unsplash&amp;utm_medium=referral&amp;utm_content=creditCopyText">Unsplash</a></span></span>
The source for the BookStack website, docs and blog.