Issue List
VWE-2022-6416 is an Information Disclosure issue, where some variants of the VAR BB-Code allow any wiki editor to view and publicize the current VaultWiki version number. The issue affects VaultWiki 4.0.19 and higher. Prior to 4.0.19, Information Disclosures were not treated as security issues.VWE-2022-6420 is an HTML Injection issue, where by leveraging a flaw in the cropping of overly-long WIKI BB-Code usages, a malicious user can modify the expected contents of HTML blocks outside the intended user-generated content locations. The issue affects VaultWiki 4.0.9 and higher, as well as earlier patches for VWE-2016-2072.
VWE-2022-6426 is a Denial of Service issue, where on some hosts and server configurations, VaultWiki's deferred tasks trigger a false-positive in denial-of-service protective measures, which causes some visitors to inappropriately receive temporary bans or for the hosting account to be temporarily suspended, because the web-based deferred tasks may be processed in rapid succession. The issue affects all versions of the VaultWiki 4.x series, although the issue is more pronounced on XenForo-based platforms.
Patches
The following patches address the aforementioned issues:- 4.1.4 Patch Level 2
- 4.1.3 Patch Level 4
- 4.1.2 Patch Level 7