• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
      • VaultWiki News
      • Visit the Wiki
    • Forum
    • Wiki
    • Support
    • What's New?
    • Buy Now
    • Manual
    • 
    • Home
    • VaultWiki Security Update: June 2019

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    • VaultWiki Security Update: June 2019

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on June 8, 2019 6:42 AM
      0 Comments Comments
      As of June 7, the security patches for June 2019 are now available.

      Issue List

      VWE-2019-5193 is an HTML/Javascript injection issue, where by leveraging XHR requests, users may be able to embed new HTML in the requested page or save content that is rendered as HTML, without appropriate permission. It affects 4.0.0 Gamma 6 and higher.

      VWE-2019-5261 is a Subscription Management issue, where imported subscriptions don't flag the correct user as having active subscriptions. While subscriptions are disabled globally, those users could be unable to manage their imported subscriptions if they don't have non-imported subscriptions too. It affects 4.0.0 Gamma 7 and higher.

      Patches

      As of June 7, 2019, the following patches address the aforementioned issues:
      • 4.0.26 Patch Level 1
      • 4.0.25 Patch Level 3
      • 4.0.24 Patch Level 5
      • 4.0.23 Patch Level 7*

      * A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

      4.1.x Issues

      Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in a new build of the current 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues listed above.

      VWE-2019-5241 is a Permissions Escalation issue, where users can view the output of certain sidebar-type WIDGET BB-Codes without permission, as long as they have permission to view output of a specific other sidebar-type widget, which varies from case to case. The issue affects XenForo 2.x only.

      VWE-2019-5244 is a Denial of Service issue, where by exploiting a bug while renaming content, malicious users can disappear pages completely. The issue affects XenForo 2.x only.

      VWE-2019-5266 is a Permissions Escalation issue, by which a user can use specially crafted BB-Codes and template parameters to circumvent area parser settings. The issue affects XenForo 2.x only.

      VWE-2019-5268 is a Subscription Management issue, where user requests to mass disable all email notifications for wiki subscriptions or to empty entire wiki subscription folders will not completely successfully.

      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 9:14 PM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2025 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2025 DragonByte Technologies Ltd.
    Copyright © 2008 - 2024 VaultWiki Team, Cracked Egg Studios, LLC.