Issue List
VWE-2018-4394 is a Permissions Escalation issue, in which users may be able to create certain wiki page-types without permission, as long as the user has permission to create normal pages. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.VWE-2018-4471 is a Race Condition issue, in which it is possible to run the same deferred task multiple times, leading to data de-synchronization, superfluous emails to users, and/or other problems which may occur in third-party tasks. The issue affects VaultWiki 4.0.0 Beta 6 and higher.
VWE-2018-4485 is a Permissions Escalation issue, where users may be able to view the titles of content in a Similar Content block, without permission to view that content, by leveraging the WIDGET BB-Code. It occurs in patches for VWE-2017-4318 and later versions, but does not affect the Lite version.
Patches
The following patches, issued March 16, 2018, address the aforementioned issues:- 4.0.21 Patch Level 1
- 4.0.20 Patch Level 4
- 4.0.19 Patch Level 7
- 4.0.18 Patch Level 8
- 4.0.17 Patch Level 10*
*A patch was issued for 4.0.17 even though it reached its end of life earlier this March, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.