BookStack v0.29.2 Release Notes
Release Date: 2020-05-02 // almost 4 years ago-
๐ Security Release
- โก๏ธ Update Instructions
- ๐ Vulnerability Report
๐ This release addresses vulnerabilities in the comment system. A user with permission to create comments could POST HTML directly to the system to be saved in a comment, which would then be executed/displayed to others users viewing the comment. Through this vulnerability custom JavaScript code could be injected and therefore ran on other user machines.
This most impacts scenarios where not-trusted users are given permission to create comments.
โฌ๏ธ After upgrading, The command
php artisan bookstack:regenerate-comment-contentshould be ran to remove any pre-existing dangerous content.