Issue List
VWE-2018-4662 is a Permissions Escalation issue, where users who can disconnect children from node-types can also remove reports about those children. This issue affects VaultWiki 4.0.8 and higher, but only affects XenForo-based installations.VWE-2018-4666 is a Phishing issue, where it is possible to position user-generated content outside of its container by using specially-crafted custom sidebar block headings. This issue affects VaultWiki 4.0.0 RC 1 and higher, but does not affect Lite versions.
VWE-2018-4667 is a Permissions Escalation issue, by which a user viewing a feed can view wiki content that they don't have permission to view, when that content appears within the viewed feed. This issue affects VaultWiki 4.0.0 and higher.
VWE-2018-4670 is a Denial of Service Amplification issue, where a lack of limits on template usage may allow specially crafted wiki pages and underlying wiki templates to execute many thousands of MySQL queries on that wiki page, which may cause MySQL or PHP to become unresponsive under load. This issue affects all versions of VaultWiki running on XenForo-based installations, but does not affect Lite versions.
VWE-2018-4671 is an On-Site Alert issue, by which an invalid key utilized by the alerts system may result in users receiving on-site alerts for modifications to watched content even though they have opted out via their Alert Preferences. This issue affects all versions of VaultWiki running on XenForo-based installations.
VWE-2018-4673 is a GDPR-related issue, where VaultWiki's data storage and retention processes may be in conflict with the site's IP-address handling policy if the site's own processes and policies were written based on the XenForo admin options for IP pruning alone. The patch resolves the issue by making VaultWiki IP retention consistent with XenForo's IP pruning settings. The conflict exists in all versions of VaultWiki running on XenForo 1.2 and higher.
Patches
The following patches, issued October 8, 2018, address the aforementioned issues:- 4.0.24 Patch Level 1
- 4.0.23 Patch Level 3
- 4.0.22 Patch Level 5
- 4.0.21 Patch Level 6
- 4.0.20 Patch Level 9
We recommend that all users running VaultWiki in a production environment update to a patched release.