Issue List
VWE-2017-3733 is a Permissions Escalation issue involving wiki attachment permissions. Exploiting the issue usually requires collusion between the uploading user and the downloading users, in order to share files that are otherwise not allowed. The issue affects all versions of the VaultWiki 4.x series, expect Lite versions.VWE-2017-3734 is primarily a Phishing issue, which makes it easier for users to insert links to external web sites that intend to steal the victim's login information; the issue involves a reduced likelihood that the victim would notice that they have navigated to a different web site. The issue affects all versions of the VaultWiki 3.x and 4.x series.
Patches
The following patches address the aforementioned issues:- 4.0.17 Patch Level 2
- 4.0.16 Patch Level 3
- 4.0.15 Patch Level 7
- 4.0.14 Patch Level 10
- 4.0.13 Patch Level 10
- 4.0.12 Patch Level 11
- 4.0.11 Patch Level 11
We highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as possible.