Issue List
VWE-2017-3978 is a Remote Code Execution issue (previously disclosed) that requires a compromised DNS or a compromised remote server that VaultWiki is using as an import source. The issue affects VaultWiki 4.0.0 Beta 6 - 4.0.17, except lite versions. Versions 4.0.0 Beta 5 and earlier, as well as versions 4.0.18 and later, are not affected by this issue.VWE-2017-3979 is a Decompression Bomb issue (previously disclosed), which can be exploited to create a Denial of Service condition. The issue affects all versions of VaultWiki 4.x, except lite versions.
VWE-2017-3981 is a Permissions Escalation issue, where it is possible to craft image proxy URLs manually without permission to use functions which generate proxy URLs normally, if the wiki was not installed properly. The issue affects VaultWiki 4.0.1 and later, except lite versions.
VWE-2017-3992 is a Permissions Escalation issue, in which the previously uploaded images are still treated as images even though their dimensions exceed the permitted amounts, if that file-type is newly given image functionality or has its permitted dimensions changed. The issue affects all versions of VaultWiki 4.x, except lite versions.
VWE-2017-3999 is a Data Loss issue in the Admin Panel's Mass Management Tools, in which content that does not meet the search criteria may be accidentally altered or removed if the prepared results are not carefully reviewed. The issue affects VaultWiki 4.0.18 and later.
Patches
The following patches, issued September 13, 2017, address the aforementioned issues:- 4.0.19 Patch Level 1
- 4.0.18 Patch Level 2
- 4.0.17 Patch Level 4
- 4.0.16 Patch Level 5
- 4.0.15 Patch Level 9
- 4.0.14 Patch Level 12
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.