Issue List
VWE-2017-4317 is a Permissions escalation issue, in which users may be able to see some thread titles in output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view those same threads. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions, on XenForo-based forums only.VWE-2017-4318 is a Permissions escalation issue, in which users may be able to see some cache contents of output from the WIDGET BB-Code, even though the users may otherwise not be allowed to view the same contents. The issue affects VaultWiki 4.0.0 RC 3 and later, except Lite versions.
VWE-2017-4319 is a Permissions escalation issue, in which users may be able to see some cache contents of the Similar Content sidebar block, even though the users may otherwise not be allowed to view the same contents. The issue affects all versions of VaultWiki 4.x series, except Lite versions.
VWE-2017-4320 is a Permissions escalation issue, in which users may be able to circumvent certain limitations that are enforced on wiki books. If the escalation is performed enough times on a single book, a Denial of Service condition can be created on pages that reference the book. The issue affects VaultWiki 4.0.4 and later, except Lite versions.
VWE-2017-4325 is a Permissions escalation issue, in which users may be able to see wiki page titles in Find New Wiki Updates, even though the users may otherwise not be allowed to view the same wiki pages. The issue affects VaultWiki 4.0.4 and later, on XenForo-based forums only.
VWE-2017-4326 is a design flaw that could lead to Permissions escalation or Data Loss in third-party add-ons that rely on VaultWiki's vw_Fetch_Controller::get_by_route function. The issue affects VaultWiki 4.0.16 and later.
Patches
The following patches, issued January 10, 2018, address the aforementioned issues:- 4.0.20 Patch Level 2
- 4.0.19 Patch Level 5
- 4.0.18 Patch Level 6
- 4.0.17 Patch Level 8
- 4.0.16 Patch Level 9*
* A patch was issued for 4.0.16 even though it reached its end of life earlier this January, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki 4.x in a production environment update to a patched release.