The "Greedy Widget Vulnerability" enabled malicious users to create a denial of service condition using malformed WIDGET BB-Codes. The issue existed since VaultWiki 4.0.0 RC 3, but it did not affect VaultWiki Lite.
The "Blabbermouth Vulnerability" enabled users to bypass view restrictions on private forums and wiki areas in order to obtain the names of content items in those locations and certain metadata about those items. The issue existed since VaultWiki 4.0.0 RC 3, but it did not affect VaultWiki Lite.
The "Presumptuous Post Vulnerability" enabled users to bypass view restrictions on some deleted or moderated wiki content. The issue existed since VaultWiki 4.0.0 Beta 1, including VaultWiki Lite, but it only affected XenForo platforms.
We have published the following Patch Level releases to resolve these issues:
- 4.0.8 Patch Level 2
- 4.0.7 Patch Level 3
- 4.0.6 Patch Level 6
- 4.0.5 Patch Level 6
- 4.0.4 Patch Level 6
- 4.0.3 Patch Level 6
- 4.0.2 Patch Level 9
We highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as possible.