As of May 3, security patches for May 2022 are now available.
Issue List
VWE-2022-6416 is an Information Disclosure issue, where some variants of the VAR BB-Code allow any wiki editor to view and publicize the current VaultWiki version number. The issue affects VaultWiki 4.0.19 and higher. Prior to 4.0.19, Information Disclosures were not treated as security issues.
VWE-2022-6420 is an HTML Injection issue, where by leveraging a flaw in the cropping of overly-long WIKI BB-Code usages, a malicious user can modify the expected contents of HTML blocks outside the intended user-generated content locations. The issue affects VaultWiki 4.0.9 and higher, as well as earlier patches for
VWE-2016-2072.
VWE-2022-6426 is a Denial of Service issue, where on some hosts and server configurations, VaultWiki's deferred tasks trigger a false-positive in denial-of-service protective measures, which causes some visitors to inappropriately receive temporary bans or for the hosting account to be temporarily suspended, because the web-based deferred tasks may be processed in rapid succession. The issue affects all versions of the VaultWiki 4.x series, although the issue is more pronounced on XenForo-based platforms.
Patches
The following patches address the aforementioned issues:
- 4.1.4 Patch Level 2
- 4.1.3 Patch Level 4
- 4.1.2 Patch Level 7
Notes
We highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as they are able.