BookStack is vulnerable to Improper Access Control.
Moderate severity
GitHub Reviewed
Published
Dec 16, 2021
to the GitHub Advisory Database
•
Updated Jan 30, 2023
Description
Published by the National Vulnerability Database
Dec 15, 2021
Reviewed
Dec 16, 2021
Published to the GitHub Advisory Database
Dec 16, 2021
Last updated
Jan 30, 2023
BookStack prior to version 21.11.3 is vulnerable to Improper Access Control. A logged-in user with no privileges OR guest user (if public access enabled) can access the /search/users/select AJAX endpoint meant for admins to manage audit logs, to dump all usernames existing in the Bookstack database. This can also be used to harvest email belonging to a user because BookStack also uses the code where(
email
,like
,%
. $search .%
) to search for users based on email.References