CVE-2021-4119: 
PHP vulnerability analysis and mitigation

BookStack, a content management system, was found to be vulnerable to Improper Access Control (CVE-2021-4119). The vulnerability was discovered and disclosed in December 2021, affecting BookStack versions up to and including 21.11.2. This security issue allowed unauthorized access to user details through the search functionality (NVD, CVE).

The vulnerability stemmed from improper access control in the user search functionality, specifically in the /search/users/select endpoint. The issue allowed email address discovery through search queries and lacked proper permission checks for user management functions. The vulnerability received a CVSS v3.1 base score of 9.8 (Critical) from NVD, while huntr.dev assessed it with a CVSS 3.0 score of 5.3 (Medium) (NVD).

The vulnerability could allow unauthorized users to harvest email addresses and user details through the search functionality. This could potentially lead to unauthorized access to sensitive user information and enable further targeted attacks against the system's users (Github Commit).

The issue was addressed through a security patch that implemented several changes: removed email address searching to prevent email detail discovery, required user authentication and specific permissions (manage users or manage permissions), and restricted user migration options during user deletion to those with proper permissions (Github Commit).