2 categories = ["Releases"]
4 title = "Beta Security Release v0.30.4"
5 date = 2020-10-31T16:30:00Z
7 image = "/images/blog-cover-images/unsplash/locks-marcos-mayer.jpg"
8 description = "This release contains some security fixes to prevent various XSS attacks"
9 slug = "beta-release-v0-30-4"
14 XSS and user-injected auto-redirect vulnerabilities have been found within the page content & attachment components of BookStack which BookStack v0.30.4 looks to address. These are primarily a concern if untrusted users can edit content on your BookStack instance.
16 * [Update instructions](https://www.bookstackapp.com/docs/admin/updates)
17 * [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v0.30.4)
22 1. A user with permissions to edit a page could insert JavaScript code through the use of `javascript:` URIs within a link or form which would run, within the context of the current page, when clicked or submitted.
24 2. A user with permissions to edit a page could insert a particular meta tag which could be used to silently redirect users to a alternative location upon visit of a page.
26 3. A user with permissions to edit a page could add an attached link which would execute untrusted JavaScript code when clicked by a viewer of the page.
30 The issues were addressed in BookStack v0.30.4.
32 Dangerous content may remain in the database. The in-page vulnerabilities will be removed before being displayed on a page but dangerous attachment content will remain if exploited. If you think this could have been exploited you can search for potential cases with the following SQL commands:
35 # XSS within page content:
36 select * from pages where html like '%javascript:%';
38 # Auto-redirect within page content:
39 select * from pages where html like '%<meta%';
41 # XSS in page link attachments:
42 select a.name as attachment_name, p.name as page_name, p.id as page_id from attachments a left join pages p on (a.uploaded_to=p.id) where a.path like '%javascript:%';
47 Page edit permissions could be limited to only those that are trusted until you can upgrade although this will not address existing exploitation of this vulnerability.
51 * [BookStack Beta v0.30.4](https://github.com/BookStackApp/BookStack/releases/tag/v0.30.4)
52 * [GitHub Security Page - XSS/Redirect in Page Content](https://github.com/BookStackApp/BookStack/security/advisories/GHSA-r2cf-8778-3jgp)
53 * [GitHub Security Page - XSS in Page Attachment](https://github.com/BookStackApp/BookStack/security/advisories/GHSA-7p2j-4h6p-cq3h)
57 * Thanks to [@PercussiveElbow](https://github.com/PercussiveElbow) for the discovery, reporting, patching and testing of the page-content vulnerabilities.
58 * Thanks to Yassine ABOUKIR (https://twitter.com/yassineaboukir/) for the discovery and reporting of the page attachment vulnerability.
62 If you have any questions or comments about this advisory:
63 * Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).
64 * Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).
65 * Follow the [BookStack Security Advice](https://github.com/BookStackApp/BookStack#-security) to contact someone privately.
70 <span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@mmayyer?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">marcos mayer</a> on <a href="https://unsplash.com/s/photos/lock?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></span></span>
projects / website / blob