This vulnerability, dubbed Color-by-Numbers, can be used to read sensitive information from the database, such as the password hashes of arbitrary users.
This issue affects all versions of VaultWiki since 4.0.6, except Lite versions.
On November 1, we released the following patches to address this issue:
- 4.0.14 Patch Level 3
- 4.0.13 Patch Level 3
- 4.0.12 Patch Level 4
- 4.0.11 Patch Level 4
- 4.0.10 Patch Level 5
- 4.0.9 Patch Level 5
- 4.0.8 Patch Level 7
We strongly recommend that all users running VaultWiki 4.0.6 or higher in a production environment update to a patched release as soon as possible.