BookStack prior to version 21.11.3 is vulnerable to Improper Access Control. A logged-in user with no privileges OR guest user (if public access enabled) can access the /search/users/select AJAX endpoint meant for admins to manage audit logs, to dump all usernames existing in the Bookstack database. This can also be used to harvest email belonging to a user because BookStack also uses the code where(email
, like
, %
. $search . %
) to search for users based on email.