Issue List
VWE-2021-6097 is a MySQL Injection issue, where users may be able to perform arbitrary MySQL by utilizing a flaw in platform-based attachment management. The issue affects all versions of the VaultWiki 4.x series.VWE-2021-6098 is a Permissions Escalation issue, where a user can associate platform-based attachments to wiki comments, even though those attachments were uploaded by another user account with different attachment permissions and/or quotas, or by the same user account under a different context with different attachment permissions and/or quotas. The issue affects all versions of the VaultWiki 4.x series.*
* Please be aware that variations of the same issue also affect basic content-types on stock installations of both vBulletin and XenForo. XenForo developers have been notified of the issue, but as of this notice, the issue has not yet been addressed. Since vBulletin 4.x and lower is already end-of-life, this would never be patched by vBulletin's developers. In the absence of a patch, the only way to prevent this issue from being exploited would be to disable all platform-based attachments (posts, conversations, etc) that are not patched. Also, depending on the method, a future XenForo patch could break the fix that we have applied to wiki comments.
VWE-2021-6099 is a Permissions Escalation issue, where a malicious user who can edit the wiki index can also change the index into a sub-area, or who can edit index-level feeds can move those feeds to another area. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.
VWE-2021-6100 is an HTML Injection issue, where when previewing content or displaying an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6101 is an HTML Injection issue, where when previewing content or displaying an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series, but only on vBulletin-based platforms.
VWE-2021-6102 is an HTML Injection issue, where usernames are not displayed consistently in an escaped format. The issue affects all versions of the VaultWiki 4.x series, but only on XenForo-based platforms.
VWE-2021-6103 is an HTML Injection issue, where certain IP address values are not displayed in an escaped format. The issue affects the VaultWiki 2.2.x-2.5.x series, the VaultWiki 3.x series, and the VaultWiki 4.x series.
VWE-2021-6104 is an HTML Injection issue, where certain fields are not escaped properly in the wiki's RSS feeds. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6105 is a Permissions Escalation issue, where a user can associate wiki-based files to wiki attachments, even though those files were uploaded under a different context with different attachment permissions, or even though those files are associated to an existing attachment that was created by another user or context with different attachment permissions. The issue affects all versions of the VaultWiki 2.x, 3.x, and 4.x series.
VWE-2021-6106 is a Permissions Escalation issue, where a user can upload wiki-based files even though those files are not permitted in the selected target area. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6107 is a Permissions Escalation issue, where it is possible to upload an image with dimensions larger than the maximum permitted dimensions via a specially-crafted image file that exceeds the maximum permitted file size. The issue affects all versions of the VaultWiki 4.x series.
Patches
The following patches address the aforementioned issues:- 4.1.1 Patch Level 5
- 4.1.0 Patch Level 7
- 4.1.0 RC 3 Patch Level 9*
*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.