Issue List
VWE-2018-4972, which was a Permissions Escalation previously patched for vBulletin 3.x, where a user was able to use smilies in wiki content without permission, was discovered to additionally affect vBulletin versions 4.0.0 Alpha 1 - 4.0.12.VWE-2019-5171 is an Information Disclosure, by which internal requests to a third-party server, such as for image proxy, may reveal the VaultWiki version number to the foreign server.
VWE-2019-5172 is an Information Disclosure, by which the VaultWiki version number is revealed in CSS output.
VWE-2019-5181 is a Permissions Escalation issue, where a user can view the current edit of a page even though the user does not have permission to view the page.
VWE-2019-5188 is a Permissions Escalation issue, where a user can view template output even though the user doesn't have permission to view the template.
VWE-2019-5189 is a Permissions Escalation issue, where a user can inject any page as though it were a template.
Patches
As of May 2, 2019, the following patches address the aforementioned issues:- 4.0.25 Patch Level 2
- 4.0.24 Patch Level 4
- 4.0.23 Patch Level 6
- 4.0.22 Patch Level 8*
* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
We recommend that all users running VaultWiki in a production environment update to a patched release.