Issue List
VWE-2018-4610 is a Permissions Escalation issue, by which a user may be able to view link statistics for a page even though that user has no permission to view the same page. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions.VWE-2018-4614 is a Permissions Escalation issue, which could lead to Denial of Service. In some situations, disk space usage limits are not enforced. The issue affects VaultWiki 4.0.22 and higher, but it does not affect Lite versions.
VWE-2018-4618 is a Permissions Escalation issue, by which a user can view templated content even though that user has no permission to view the template. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions. Note that after applying this patch, in order to view templated content, a user must have permission to view the contents of the area that contains the template.
VWE-2018-4620 is a Legal issue, where under some versions of PHP, a user may be able to successfully upload a JPG image containing XMP metadata that is not preserved, as required by some laws, in resized versions of the image. The issue affects patches for VWE-2017-4030, and VaultWiki versions 4.0.20 and higher, but it does not affect Lite versions.
Patches
The following patches, issued July 18, 2018, address the aforementioned issues:- 4.0.23 Patch Level 1
- 4.0.22 Patch Level 3
- 4.0.21 Patch Level 4
- 4.0.20 Patch Level 7
- 4.0.19 Patch Level 10
We highly recommend that all users running VaultWiki in a production environment update to a patched release.