VaultWiki Security Update: May 2020

As of May 7, security patches for May 2020 are now available.

Issue List

VWE-2020-5782 is a Permissions Escalation issue, where users are able to change a book's chapter order even though their edits require moderation, as long as they have permission to change the book's categories. The issue affects all prior versions of VaultWiki 4.x series.

VWE-2020-5788 is a Permissions Escalation issue, where users can view soft-deleted attachment edits of wiki indexes that are also attachments, without permission to manage soft-deleted index-related content, as long as the user has global permissions to manage soft-deleted content. This is a rare situation involving imports from VaultWiki 3.x, where VaultWiki 3's index page had been set to a wiki attachment. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2020-5789 is a Permissions Escalation issue, where users who are not social group members can add or remove social group pages to wiki indexes that are also social groups, without permission to moderate index-related content, as long as the user has global permissions to moderate content. This is a rare situation involving imports from VaultWiki 3.x, where VaultWiki 3's index page had been set to a social group. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2020-5794 is an HTML Injection issue, where unescaped HTML might appear in certain Open Graph elements. The issue affects all prior versions of VaultWiki 4.x series.

VWE-2020-5795 is a MySQL Injection issue, where users can execute arbitrary MySQL queries by leveraging a flaw in a book's Manage Chapters form. The issue affects all prior versions of VaultWiki 4.x series.

VWE-2020-5804 is a Permissions Escalation issue, where all area content parses with a forum's default parser settings for non-forum content, regardless of area settings, if the forum has Disabling Content Caching active or has recently cleared the content-type cache. The issue affects all prior versions of VaultWiki 4.x series, on vBulletin 4.x-based platforms only.

VWE-2020-5805 is a Permissions Escalation issue, where hook location bbcode_parse_start sees NULL for $forumid in wiki content, which could cause parsing with parser settings for non-wiki content, regardless of area settings, when combined with certain third-party add-ons such as CES Parser Permissions. The issue affects VaultWiki 4.1.0 RC 2, on vBulletin-based platforms only.

Patches

The following patches address the aforementioned issues:

• 4.1.0 RC 2 Patch Level 2
• 4.1.0 RC 1 Patch Level 3
• 4.0.28 Patch Level 3
• 4.0.27 Patch Level 6
• 4.0.26 Patch Level 8*

*A patch was issued for this version even though it reached its end-of-life on the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.