BookStack Code Mirror - website/blob - content/blog/2022/security-release-v22-02-3.md

1 +++

2 categories = ["Releases"]

3 tags = ["Releases"]

4 title = "BookStack Security Release v22.02.3"

5 date = 2022-03-07T15:00:00Z

6 author = "Dan Brown"

7 image = "/images/blog-cover-images/unsplash/fence-birds-yudi-m.jpg"

8 slug = "bookstack-release-v22-02-3"

9 draft = false

10 +++

11

12 BookStack v22.02.3 has been released.

13 This is a security release that adds better protections against embedded content

14 that could be used in malicious ways. This effectively restricts embedded iframe

15 content in an allow-list approach.

16

17 A new `ALLOWED_IFRAME_SOURCES` option has been added to provide configuration of

18 allowed embed/iframe sources within BookStack pages, and this defaults to a couple

19 of popular services such as YouTube and Vimeo.

20

21 Please see this link for more detail regarding this option:

22 - https://www.bookstackapp.com/docs/admin/security/#iframe-source-control

23 - ("Iframe Source Control" section)

24

25 It's advised to upgrade as soon as possible if untrusted users can create or update

26 pages within your BookStack instance.

27

28 * [Update instructions](https://www.bookstackapp.com/docs/admin/updates)

29 * [GitHub release page](https://github.com/BookStackApp/BookStack/releases/tag/v22.02.3)

30

31 Thanks to @416e6e61 (Anna) for discovering and reporting this vulnerability via huntr.dev.

32

33 ### Full List of Changes

34

35 * Added iframe allow-list control to prevent a range of malicious uses of untrusted iframe sources. ([#3314](https://github.com/BookStackApp/BookStack/issues/3314))

36 * Updated translations with latest Crowdin changes. ([#3312](https://github.com/BookStackApp/BookStack/pull/3312))

37

38

39 ### For More Information

40

41 If you have any questions or comments about this advisory:

42 * Open an issue in [the BookStack GitHub repository](https://github.com/BookStackApp/BookStack/issues).

43 * Ask on the [BookStack Discord chat](https://discord.gg/ztkBqR2).

44 * Follow the [BookStack security policy](https://github.com/BookStackApp/BookStack/blob/development/.github/SECURITY.md) to contact someone privately.

45

46 ----

47

48 <span style="font-size: 0.8em;opacity:0.9;">Header Image Credits: <span>Photo by <a href="https://unsplash.com/@yudi_m?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Yudi M</a> on <a href="https://unsplash.com/s/photos/fence?utm_source=unsplash&utm_medium=referral&utm_content=creditCopyText">Unsplash</a></span></span>