• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
      • VaultWiki News
      • Visit the Wiki
    • Forum
    • Wiki
    • Support
    • What's New?
    • Buy Now
    • Manual
    • 
    • Home
    • VaultWiki Security Update: October 2018

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    • VaultWiki Security Update: October 2018

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on October 10, 2018 12:48 PM
      0 Comments Comments
      As of October 10, 2018, the regularly scheduled security patches for October are available.

      Issue List

      VWE-2018-4662 is a Permissions Escalation issue, where users who can disconnect children from node-types can also remove reports about those children. This issue affects VaultWiki 4.0.8 and higher, but only affects XenForo-based installations.

      VWE-2018-4666 is a Phishing issue, where it is possible to position user-generated content outside of its container by using specially-crafted custom sidebar block headings. This issue affects VaultWiki 4.0.0 RC 1 and higher, but does not affect Lite versions.

      VWE-2018-4667 is a Permissions Escalation issue, by which a user viewing a feed can view wiki content that they don't have permission to view, when that content appears within the viewed feed. This issue affects VaultWiki 4.0.0 and higher.

      VWE-2018-4670 is a Denial of Service Amplification issue, where a lack of limits on template usage may allow specially crafted wiki pages and underlying wiki templates to execute many thousands of MySQL queries on that wiki page, which may cause MySQL or PHP to become unresponsive under load. This issue affects all versions of VaultWiki running on XenForo-based installations, but does not affect Lite versions.

      VWE-2018-4671 is an On-Site Alert issue, by which an invalid key utilized by the alerts system may result in users receiving on-site alerts for modifications to watched content even though they have opted out via their Alert Preferences. This issue affects all versions of VaultWiki running on XenForo-based installations.

      VWE-2018-4673 is a GDPR-related issue, where VaultWiki's data storage and retention processes may be in conflict with the site's IP-address handling policy if the site's own processes and policies were written based on the XenForo admin options for IP pruning alone. The patch resolves the issue by making VaultWiki IP retention consistent with XenForo's IP pruning settings. The conflict exists in all versions of VaultWiki running on XenForo 1.2 and higher.

      Patches

      The following patches, issued October 8, 2018, address the aforementioned issues:
      • 4.0.24 Patch Level 1
      • 4.0.23 Patch Level 3
      • 4.0.22 Patch Level 5
      • 4.0.21 Patch Level 6
      • 4.0.20 Patch Level 9


      We recommend that all users running VaultWiki in a production environment update to a patched release.
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 6:42 PM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2025 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
    Copyright © 2008 - 2024 VaultWiki Team, Cracked Egg Studios, LLC.