VaultWiki News

As of October 25, security patches for October 2021 are now available.

Issue List

VWE-2021-6236 is a Permissions escalation issue, where a user can view the title of content they have no permission to view by reading the profile of a user whose last wiki activity involved that content.

VWE-2021-6237 is a Permissions escalation issue, where a guest can view the wiki's cached last update even if permissions have changed in the past 5 minutes so that the guest can no longer view that update. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6238 is a Permissions escalation issue, where after certain updates to permissions that do not target a specific row by ID, affected users can still view some cached content, even if the update changed their permissions so that they would not be permitted to view that content. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6239 is a Permissions escalation issue, where the VaultWiki 3 importer grants custom moderator permissions to the wrong target moderator. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6247 is a Denial of Service issue, where a user can force an existing wiki attachment to become inaccessible by editing it and uploading a new version. The issue affects all versions of the VaultWiki 4.1.x series, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6249 is a Legal issue, where PNG metadata from XMP profiles are not preserved. Some countries require web sites to preserve XMP metadata. The issue affects VaultWiki 4.0.20 and higher, as well as patches for VWE-2017-4030, except Lite versions.

VWE-2021-6251 is a Denial of Service issue, where a user can force an existing wiki content to become inaccessible by renaming the content, if there is not another content of the same type with an ID matching the renamed content's route ID. The issue affects VaultWiki 4.1.1 Patch Level 2 and higher, except on XenForo 2.x platforms.

VWE-2021-6252 is a Denial of Service amplification issue, where a distributed attack can consume available MySQL connections by submitting extremely high amounts of choices to a bulk chooser's submission script, because the number of choices is not limited prior to querying MySQL. This occurs due to a lack of completeness in the patches for VWE-2016-2034. The issue affects those VaultWiki patches and higher versions.

VWE-2021-6253 is a Denial of Service issue, where a user can leverage fatal errors in the TEMPLATE BB-Code to force any wiki page using certain templates to resolve as a fatal error. The issue affects VaultWiki 4.0.4 and higher, except Lite versions.

VWE-2021-6254 is a Permissions Escalation issue, where a user can view a partial list of a wiki area's feeds by viewing the Recent Feed Updates widget for that area, even though the user does not have permission to view a list of the area's contents. The issue affects VaultWiki 4.0.0 and higher.

VWE-2021-6255 is a Denial of Service issue, where the entire wiki remains disabled after an administrator uses the Rebuild Content URLs tool. The issue affects all versions of the VaultWiki 4.1.x series, on vBulletin-based platforms only.

VWE-2021-6256 is a Permissions Escalation issue, where a user can change the target of a synonym without having permission to edit synonyms. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6257 is a Permissions Escalation issue, where a user can rename a synonym without having permission to rename synonyms. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6258 is a Permissions Escalation issue, where a user can set a synonym's title to a value that appears on the Disallowed Titles list. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6259 is a Denial of Service amplification issue, where a distributed attack by malicious editors can consume all memory allocated to PHP by leveraging massive numbers of template inclusions within complex template fields and saving the affected pages simultaneously. The issue affects VaultWiki 4.1.0 RC 2 and higher, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6260 is a Permissions Escalation issue, where a custom field that parses BB-Code will render based on the template expansion rules for the maximum wiki page length rather than the maximum field length. The issue affects VaultWiki 4.1.0 RC 2 and higher, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6261 is a Permissions Escalation issue and occasionally a Data Loss issue, where installer fails to create a new moderator group, forcing administrators to choose an existing usergroup. Choosing an existing group risks permissions escalation and possible locked accounts, because users are added and dropped from the moderator group depending on the user's browsing context. For forums with large numbers of users, this can lead to data loss, because recovering the user's original usergroup assignments would require restoring the database from a backup. The issue affects all versions of the VaultWiki 4.1.x series, except XenForo 2.x platforms.

• Administrators who believe their forum is in this situation should backup their database and reach out for special instructions on changing their moderator group safely, as the patch only restores the ability to create a new usergroup during installation. For new moderators created after version 4.1.3, VaultWiki will additionally attempt to track whether users were already in a usergroup before becoming a moderator to help avoid this problem.

Patches

The following patches address the aforementioned issues:

• 4.1.2 Patch Level 3
• 4.1.1 Patch Level 8

Notes

We strongly recommend that all customers running VaultWiki in a production environment update to a patched release.

As of September 14, security patches for September 2021 are now available.

Issue List

VWE-2021-6191 is a Permissions Escalation and Data Loss issue, where some edits do not preserve existing custom field values from the previous edit. This is most common for edits generated from outside the Edit tab, such as mass edits. Within the Edit tab, when a user who does not have permission to change any custom field for a page edits that page, the unpermitted custom fields may be changed to a blank value. The issue affects VaultWiki 4.1.0 RC 2 and higher, under XenForo 2.1 and higher only.

VWE-2021-6205 is a Permissions Escalation issue, where a user can view a list of content in a disambiguation page via a content chooser that is showing results from disambiguation pages, even though the user does not have permission to view a list of the disambiguation page's contents. The issue affects VaultWiki 4.1.0 RC 3 and higher.

VWE-2021-6207 is a Data Loss issue, where changes to the editor's contents since it was loaded are not retained upon saving, if the editor was previewed. The issue affects VaultWiki 4.0.0 Beta 1 and higher, under XenForo only, but only leads to data loss under XenForo 2.2 or higher.

VWE-2021-6208 is a Data Loss issue, where template parameter editor contents of forced template content are not saved if the editor was changed from BB-Code to WYSIWYG mode. The issue affects VaultWiki 4.1.0 RC 3 and higher, under vBulletin only.

VWE-2021-6209 is a Data Loss issue, where template parameter editors are not provided for forced template content, causing subsequent edits to save blank entries as the parameter values. The issue affects VaultWiki 4.1.0 RC 3, under vBulletin only.

VWE-2021-6218 is a Data Loss issue, where if a user edits an existing page that has text content so that the page would no longer have any text content and either previews the changes or receives submission errors, the editor is reloaded as though the text was unchanged. The issue affects all versions of VaultWiki 4.x; however, in the VaultWiki 4.1.x series, XenForo is unaffected.

Patches

The following patches address the aforementioned issues:

• 4.1.2 Patch Level 2
• 4.1.1 Patch Level 7
• 4.1.0 Patch Level 9*

*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.

As of July 25, security patches for July 2021 are now available.

Issue List

VWE-2021-6131 is a Subscription Management issue, where the wrong user may receive a notification when a moderator takes action against a user's wiki content. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6136 is a Data Loss issue, where when renaming content, a user can unintentionally change all synonyms attached to that content into double redirects. The issue affects VaultWiki 4.0.16 and higher.

VWE-2021-6139 is a Permissions Escalation issue, where when renaming content, the rename is completed without a valid synonym, even if the user does not have permission to rename without generating a synonym. The issue affects VaultWiki 4.0.16 and higher.

VWE-2021-6145 is a Permissions Escalation issue, by which a user who can move content to another area can also send it to the approval queue, even though the user does not have permission to moderate content. The issue affects VaultWiki 4.1.0 RC 2 and higher.

VWE-2021-6148 is a Data Loss issue, where deferred tasks containing a reference to triggering content can fail to queue due to custom field assignments or unencoded IP data, resulting in data denormalization, orphaned content, and other effects. The issue affects VaultWiki 4.1.0 RC 2 and higher.

Patches

The following patches address the aforementioned issues:

• 4.1.2 Patch Level 1
• 4.1.1 Patch Level 6
• 4.1.0 Patch Level 8

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.

As of June 6, security patches for June 2021 are now available.

Issue List

VWE-2021-6097 is a MySQL Injection issue, where users may be able to perform arbitrary MySQL by utilizing a flaw in platform-based attachment management. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6098 is a Permissions Escalation issue, where a user can associate platform-based attachments to wiki comments, even though those attachments were uploaded by another user account with different attachment permissions and/or quotas, or by the same user account under a different context with different attachment permissions and/or quotas. The issue affects all versions of the VaultWiki 4.x series.*

* Please be aware that variations of the same issue also affect basic content-types on stock installations of both vBulletin and XenForo. XenForo developers have been notified of the issue, but as of this notice, the issue has not yet been addressed. Since vBulletin 4.x and lower is already end-of-life, this would never be patched by vBulletin's developers. In the absence of a patch, the only way to prevent this issue from being exploited would be to disable all platform-based attachments (posts, conversations, etc) that are not patched. Also, depending on the method, a future XenForo patch could break the fix that we have applied to wiki comments.

VWE-2021-6099 is a Permissions Escalation issue, where a malicious user who can edit the wiki index can also change the index into a sub-area, or who can edit index-level feeds can move those feeds to another area. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2021-6100 is an HTML Injection issue, where when previewing content or displaying an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6101 is an HTML Injection issue, where when previewing content or displaying an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series, but only on vBulletin-based platforms.

VWE-2021-6102 is an HTML Injection issue, where usernames are not displayed consistently in an escaped format. The issue affects all versions of the VaultWiki 4.x series, but only on XenForo-based platforms.

VWE-2021-6103 is an HTML Injection issue, where certain IP address values are not displayed in an escaped format. The issue affects the VaultWiki 2.2.x-2.5.x series, the VaultWiki 3.x series, and the VaultWiki 4.x series.

VWE-2021-6104 is an HTML Injection issue, where certain fields are not escaped properly in the wiki's RSS feeds. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6105 is a Permissions Escalation issue, where a user can associate wiki-based files to wiki attachments, even though those files were uploaded under a different context with different attachment permissions, or even though those files are associated to an existing attachment that was created by another user or context with different attachment permissions. The issue affects all versions of the VaultWiki 2.x, 3.x, and 4.x series.

VWE-2021-6106 is a Permissions Escalation issue, where a user can upload wiki-based files even though those files are not permitted in the selected target area. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6107 is a Permissions Escalation issue, where it is possible to upload an image with dimensions larger than the maximum permitted dimensions via a specially-crafted image file that exceeds the maximum permitted file size. The issue affects all versions of the VaultWiki 4.x series.

Patches

The following patches address the aforementioned issues:

• 4.1.1 Patch Level 5
• 4.1.0 Patch Level 7
• 4.1.0 RC 3 Patch Level 9*

*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.

As of May 3, security patches for May 2021 are now available.

Issue List

VWE-2021-6051 is a MySQL Injection issue, where a malicious administrator can execute arbitrary MySQL statements by utilizing a flaw in integration position management. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2021-6076 is an HTML Injection issue, where a malicious editor can save specially crafted content that is later loaded as WYSIWYG editor content by an unsuspecting user editing the same page, and if the second user opens certain editor dialogs while having that content selected, the content can be displayed to the user unescaped. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6087 is a Denial of Service issue, where a malicious editor can leverage fatal errors in handling of the WIDGET BB-Code's "sidebar" variant in order to cause any page they edit to resolve as a fatal error. The issue affects VaultWiki 4.1.0 Alpha 1 and higher, but only on XenForo 2.x platforms.

Patches

The following patches address the aforementioned issues:

• 4.1.1 Patch Level 4
• 4.1.0 Patch Level 6
• 4.1.0 RC 3 Patch Level 8

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.

As of March 5, security patches for March 2021 are now available.

Issue List

VWE-2021-6177 is a Permissions Escalation issue, under which, when the last editor and original creator of a wiki page are different, the last editor of the page can protect the page so that only the creator can make changes, without the original creator's knowledge or consent. In such a case, until the original creator submits a new edit, even the original creator has no access to the controls necessary to reverse the protection. The issue affects VaultWiki 4.0.20 and higher.

Patches

The following patches address the aforementioned issue:

• 4.1.1 Patch Level 3
• 4.1.0 Patch Level 5
• 4.1.0 RC 3 Patch Level 7
• 4.1.0 RC 2 Patch Level 8

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.