CVE-2021-4119

Name of the Vulnerable Software and Affected Versions BookStack versions prior to 21.11.3

Description The issue allows a logged-in user with no privileges or a guest user (if public access is enabled) to access the "/search/users/select" AJAX endpoint, which is meant for admins to manage audit logs. This can be used to dump all usernames existing in the BookStack database. Additionally, it can be used to harvest email belonging to a user because BookStack uses the code where(email, like, % . $search . %) to search for users based on email.

Recommendations For versions prior to 21.11.3, update to version 21.11.3 or later to resolve the issue. As a temporary workaround, consider restricting access to the "/search/users/select" AJAX endpoint to minimize the risk of exploitation. Avoid using the email variable in the affected endpoint until the issue is resolved.