Issue List
VWE-2017-3677 is a Subscription Management Flaw that affects the following users who were created while VaultWiki was installed: (1) Users who registered while the VaultWiki add-on was disabled; and (2) Users who were imported into XenForo from another forum. Both sets of users were unable to change their default preferences regarding new wiki subscriptions. The issue affects all versions of the VaultWiki 4.x series.VWE-2017-3679 is a Denial of Service Amplification issue involving specific syntax nesting combinations when using MediaWiki syntax support. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3682 is a CAN-SPAM Non-compliance issue involving some wiki subscriptions that were imported into VaultWiki from another installation that was running VaultWiki 4.0.16 or higher. The affected subscriptions would never send valid unsubscribe links. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.
VWE-2017-3683 is a Subscription Management Flaw that occurs when adding a comment to a wiki discussion. The user's default wiki subscription preference was taking precedence over the user's form selection. It was a regression of the fix for VWE-2017-3428. It affects VaultWiki 4.0.17 build 001 only.
VWE-2017-3684 is a Denial of Service Amplification issue in Synonyms management. It affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3686 is a Permissions Escalation issue involving users who were granted permission to delete wiki content but whose permissions also require moderation for new content and new edits. Certain changes by these users were being accepted before a moderator had a chance to review them. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.
VWE-2017-3687 is a CAN-SPAM Non-compliance issue involving email subscriptions imported into VaultWiki from another installation running the VaultWiki 4.x series. Unsubscribe links sent within the past 30 days were not honored. The issue affects all versions of the VaultWiki 4.x series, except Lite versions; however, imports from Lite versions may also be affected. If your import was already affected, please follow the instructions in the issue disclosure.
Patches
The following patches, released March 30, 2017, address the aforementioned issues:- 4.0.17 Patch Level 1
- 4.0.16 Patch Level 2
- 4.0.15 Patch Level 6
- 4.0.14 Patch Level 9
- 4.0.13 Patch Level 9
- 4.0.12 Patch Level 10
- 4.0.11 Patch Level 10
- 4.0.10 Patch Level 11
We strongly recommend that all users running VaultWiki 4.x in a production environment update to a patched release as soon as possible.