Issue List
VWE-2017-4131 is a Denial of Service amplification issue which might be triggered in the processing of some JPEG files. The issue affects the September 2017 patches.VWE-2017-4138 is a CAN-SPAM Compliance issue, involving a potential conflict with third-party XenForo add-ons, in which add-ons that provide email templates without defining plain-text variants might be sent with blank body contents. The issue affects the September 2017 patches; however, add-ons that were affected by this issue should still be updated to include plain-text variants in order to ensure maximum compatibility with clients.
VWE-2017-4152 is a CAN-SPAM Compliance issue, in which the unsubscribe links in some wiki email notifications are not routed correctly. The issue affects some emails sent by VaultWiki 4.0.16 and higher.
VWE-2017-4153 is a CAN-SPAM Compliance issue, in which subscriptions with corrupt compliance information may generate emails anyway. The issue affects corrupt data in all versions of the VaultWiki 4.x series.
Patches
The following patches, issued October 15, 2017, address the aforementioned issues:- 4.0.19 Patch Level 3
- 4.0.18 Patch Level 4
- 4.0.17 Patch Level 6
- 4.0.16 Patch Level 7
- 4.0.15 Patch Level 11
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.