We immediately patched the issue, and have released Patch Level releases for Release Candidates in the VaultWiki 4.x series:
- 4.0.0 RC 3 Patch Level 1
- 4.0.0 RC 2 Patch Level 1
- 4.0.0 RC 1 Patch Level 1
We highly recommend that all users running VaultWiki in a production environment upgrade to a patched release as soon as possible. Note that because the FILE BB-Code does not exist in VaultWiki Lite, VaultWiki Lite is unaffected by this issue.
Details
The FILE BB-Code vulnerability can allow any user with posting permissions to embed malicious Javascript code on site pages that allow BB-Code. It is relatively easy to exploit, provided the wiki has been setup using a specific configuration that we have historically and will continue to recommend on our web site.This vulnerability affects all versions of VaultWiki with the FILE BB-Code active (or a variation of it), including VaultWiki 3.x series, and VaultWiki 2.x series with the Special:Images add-on. Please note that since VaultWiki 3.x received its End-of-Life almost a year ago, there is no patch for that family or earlier, and it is now no longer available for download.
If you are currently using an unpatched version of VaultWiki, it is highly recommended that you upgrade immediately or disable the FILE BB-Code completely via VaultWiki's Syntax Manager (in 3.x series and earlier, this was called the Wiki Code Manager).
If you cannot upgrade yet for any number of reasons and disabling the BB-Code is not an option for your site, alternatively you can purchase an Upgrade Service and use it as a request that we manually apply a patch your installed version.
Please understand that we cannot post specific line-by-line patching instructions without risking being more specific about how to exploit the vulnerability.
Oops!