Issue List
VWE-2024-6630 is a Permissions Escalation issue, where a user can rename content even though they don't have permission to rename content, by modifying the HTML structure of the editor interface in their browser prior to submission. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.VWE-2024-6631 is a Permissions Escalation issue, where a user who has permission to rename content can create synonyms using the previous name even though they don't have permission to create synonyms. The issue effects all versions of the VaultWiki 4.x series.
VWE-2024-6632 is a Permissions Escalation issue, where a user can change an existing page into an anonymous page without generating a synonym using the previous name even though they don't have permission to remove the existing page. The issue affects all versions of the VaultWiki 4.x series.
VWE-2024-6633 is a Backup Restoration issue, where the fully-qualified values of class locations are hardcoded into cache, which is not portable when the database is migrated to another server or directory location on a different day, preventing the software from functioning at the new location. The issue affects VaultWiki 4.1.7 and higher.
VWE-2024-6634 is a Denial of Service issue, where a user who has permission to roll back page revisions can inadvertently make the page inaccessible, unavailable to various search filters, or prevent certain BB-Codes from correctly rendering references to the page, if certain changes to the page are affected by the rollback. The issue affects all versions of the VaultWiki 4.x series.
VWE-2024-6636 is an Incorrect Synchronization issue, where fetching a page with node-level behaviors before routing to that same page can cause an unexpected result when a page with different behaviors is fetched afterwards, which may additionally result in data loss if the latter page is to be modified. The issue affects all versions of the VaultWiki 4.x series.
VWE-2024-6637-1 is an Upgrade issue, where upgrading to VaultWiki for XenForo 2.3 directly from VaultWiki for XenForo 1.x results in wiki moderators that do not have access to the approval queue. The issue affects VaultWiki 4.1.8 and higher, but only on XenForo 2.3 and higher.
VWE-2024-6637-2 is an Upgrade issue, where upgrading to a VaultWiki for XenForo 2.x version of 4.1.3 or later directly from VaultWiki for XenForo 1.x results in VaultWiki unable to find its own database tables partway through the upgrade process and permanently thereafter. The issue affects VaultWiki 4.1.3 and higher, on XenForo 2.x platforms only.
- The patch prevents the issue from occurring in the future. If you are already experiencing this issue, manually execute the following MySQL query:
Code:INSERT IGNORE INTO vw_patchinfo SELECT `version`, `label` FROM xf_vw_patchinfo
VWE-2024-6638 is an Upgrade issue, where upgrading to a VaultWiki for XenForo 2.x version of 4.1.6 or later directly from VaultWiki for XenForo 1.x, while another add-on is already installed that extends XenForo's parser classes, VaultWiki is unable to extend the parser classes needed to complete the upgrade. The issue affects VaultWiki 4.1.6 and higher, on XenForo 2.x platforms only.
VWE-2024-6639 is a Permissions Escalation issue, where wiki content stored at the wiki index ignores the wiki index's rules and permissions for what types of syntax may be parsed. The issue affects all versions of the VaultWiki 4.x series, in PHP versions prior to the 8.x series only.
Patches
The following patches address the aforementioned issues:- 4.1.8 Patch Level 1
VaultWiki 3.x Issues
Even though the VaultWiki 3.x series has not been updated for a decade and no longer receives patches, we do occasionally discover new issues affecting that series which require disclosure. As has been the guidance for many years now, anyone still running VaultWiki 3.x (or earlier!) in a production environment should upgrade to a supported version of VaultWiki 4.x immediately.VWE-2024-0235-1 is an Arbitrary Code Execution issue, where a malicious user can post specially-crafted [HTML] BB-Code tags within wiki content and execute arbitrary PHP code on the server. The issue affects all versions of the VaultWiki 2.x and 3.x series.