As of November 8, security patches for November 2020 are now available.
Issue List
VWE-2020-5943 is a Denial of Service issue, where a sanitization issue in AJAX-submitted input allows invalid UTF-8 characters to pass verification, and could result in the prevention of moderator access to XenForo 2.x's approval queue if it contains affected content. The underlying sanitization issue has existed since 4.0.0 Gamma 6 and exists in all platforms; however, the code was never used on XenForo-based platforms in the VaultWiki 4.0.x series. The issue has been exploited in the wild as early as June 2017 on vBulletin-based platforms. The malicious effect can only be realized in the following situations:
- vBulletin installations, running VaultWiki 4.0.0 Gamma 6 or higher when exploited, if that installation converts to XenForo 1.x running VaultWiki, and later converts to XenForo 2.x running VaultWiki.
- XenForo installations, running VaultWiki 4.1.x or higher when exploited, if that installation now runs XenForo 2.x
VWE-2020-5948 is a Denial of Service issue, where a malicious user may be able to a force a wiki page into a permanently moderated state by leveraging unapproved
minor edits. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5953 is a Permissions Escalation issue, where a user can see certain non-area listings of content that exists in an area where that user has no permission to view the area's contents, as long as the user has permission to view the area's landing page. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.
VWE-2020-5954 is a Permissions Escalation issue, where a user can see the name of a collaborative feed they don't have permission to view, as long as a page has been added to that feed already and the user has permission to add the same page to a different collaborative feed. The issue affects VaultWiki 4.0.0 and higher.
VWE-2020-5955 is a Permissions Escalation issue, where a user can see the name of a category they don't have permission to view, as long as they have permission to edit the categories for a page that is already listed in that category. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5956 is a Permissions Escalation issue, where a user can see the name of a wiki page they don't have permission to view, as long as they have permission to edit translations for another page that is already a translation of that page. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5963 is an Expired Pointer Dereference issue, which can lead to unintentional data corruption or data loss. When purging the current revision of a page, both the actioned page and another unrelated page may become damaged. The issue affects the actioned page in all versions of the VaultWiki 4.x series, and the additional unrelated page in 4.0.0 and higher.
Patches
The following patches address the aforementioned issues:
- 4.1.0 Patch Level 2
- 4.1.0 RC 3 Patch Level 4
- 4.1.0 RC 2 Patch Level 5
- 4.1.0 RC 1 Patch Level 6
- 4.0.28 Patch Level 6
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.