Issue List
VWE-2018-4336 is a Permissions Escalation issue in environments using a theoretical third-party add-on or custom BB-Code, in which it may be possible to parse unprivileged legacy wiki syntax within a privileged context. In vBulletin, the issue affects all versions of VaultWiki 2.x starting from 2.2.0, and all versions of the 3.x and 4.x series. In XenForo, the issue affects all versions of VaultWiki prior to 4.0.7 that were not already patched for VWE-2015-1601. Lite versions are not affected.VWE-2018-4337 is a Denial of Service issue, in which an unprivileged user may be able to prevent future edits, comments, and/or other changes to desired wiki pages by abusing the personal feed system. The issue affects VaultWiki 4.0.0 and higher.
VWE-2018-4345 is a Denial of Service issue, in which a limitation added by the patch for VWE-2017-4266 is not enforced. However, due to a bug in the previous patch, denial of service is only possible to achieve via theoretical third-party add-ons which fix the bug.
VWE-2018-4346 is a Denial of Service and Amplification issue, in which the image proxy cache may enter a state where it constantly reprimes, or in which large numbers of cache images may be corrupted. The issue affects VaultWiki 4.0.1 and higher, except Lite versions.
VWE-2018-4347 is a Denial of Service Amplification issue, in which blocking may occur during CSS processing when the patch for VWE-2017-4266 is not applied, or if a theoretical third-party add-on fixes the bug introduced by that patch; in such cases, a well-timed, distributed attack may be able to achieve site-wide denial of service. The issue exists in VaultWiki 4.0.19 and higher.
VWE-2018-4348 is a Permissions Escalation issue, in which a theoretical third-party add-on can be leveraged to indirectly modify different wiki content than the add-on is designed to modify. The issue exists in all versions of the VaultWiki 4.x series.
VWE-2018-4350 is a Permissions Escalation issue, in which a user without permission to remove synonyms from a wiki page may be able to remove those synonyms indirectly by removing a specific, otherwise unrelated, wiki page that the user does have permission to remove. The issue exists in VaultWiki 4.0.16 and higher.
VWE-2018-4352 is a Denial of Service issue, in which an unprivileged user may be able to make certain wiki pages "disappear" via moderated edits, rollbacks, and some other actions. The issue affects all VaultWiki 2.2.3 variants, and all versions of the 4.x series.
VWE-2018-4356 is a Denial of Service issue, in which moderators may be prevented from deleting undesirable wiki content, due to abuse of that content's child content and other relations. The issue affects all versions of VaultWiki 4.x series. Note, however, that default installations of vBulletin and XenForo 1.x without VaultWiki share similar problems, but those developers do not address it as a security issue.
Patches
The following patches, issued February 8, 2018, address the aforementioned issues:- 4.0.20 Patch Level 3
- 4.0.19 Patch Level 6
- 4.0.18 Patch Level 7
- 4.0.17 Patch Level 9
We highly recommend that all users running VaultWiki in a production environment update to a patched release.