Issue List
VWE-2017-3857 is a Permissions Escalation involving custom user masks and custom moderator permissions, where "No" and "Never" values that were part of the mask did not take precedence over inherited "Yes" values. The issue affects several Patch Level releases of the VaultWiki 4.x series since 4.0.8, and all versions since 4.0.16.VWE-2017-3858 is a Permissions Escalation involving an incorrect notification that setting all settings to "Not Set" for custom permissions, user masks, or moderator permissions was successful, even when the change could not be successfully saved. In this case, existing "Yes" values will still be in effect, even though the administrator believes that they have been revoked. The issue affects VaultWiki 4.0.12 and higher.
Patches
The following patches, issued August 6, 2017, address the aforementioned issues:- 4.0.18 Patch Level 1
- 4.0.17 Patch Level 3
- 4.0.16 Patch Level 4
- 4.0.15 Patch Level 8
- 4.0.14 Patch Level 11
- 4.0.13 Patch Level 11
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.
Oops!