-
VaultWiki News
by Published on October 12, 2019 5:59 PM
VaultWiki 4.1.0 Beta 4 is now available for download. This is primarily a maintenance release, containing at least 60 fixes and tweaks.
For a list of changes in this release, please see Changelog for 4.1.0 Beta 4. If you are a style or language pack maintainer, please check here for changes which may affect you.
State of the Beta
As some people may be aware, we originally intended to only have 3 beta releases for 4.1.x; however, due to last month's down time, we released an unpolished and unannounced Beta 3 beforehand in order to tide folks over.
But as the number of unresolved issues in the bug tracker approaches that of typical stable releases, and with only 1 more planned feature to roll out in 4.1.x, we fully expect that the next release will be proposed as stable -- that is, a Release Candidate.
Release Notes
Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 4 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 4 is beta software. We recommend that beta software only be used in a test environment.by Published on October 12, 2019 12:50 PM
As of October 12, the security patches for October 2019 are now available.
Issue List
VWE-2019-5363 is a Permissions Escalation issue, where users are able to make unmoderated edits to the index and area pages, as long as they can make unmoderated edits to regular pages. The issue affects all versions of the 4.x series.
VWE-2019-5360 is a Permissions Escalation issue, where users can accidentally rename pages with HTML entities in the title, even if they don't have permission to rename pages. The issue affects all versions of the 4.x series.
VWE-2019-5375 is a Permissions Escalation issue, where regardless of other applicable types, users can rename any attachment as long as they have permission to rename attachments, and can rename other types of pages as long as they have permission to rename regular pages. The issue affects all versions of the 4.x series.
Patches
The following patches address the aforementioned issues:
- 4.0.27 Patch Level 1
- 4.0.26 Patch Level 3
- 4.0.25 Patch Level 5
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 4, in addition to any relevant issues listed above.
VWE-2019-5361 is a Permissions Escalation issue, where users can create new collaborative feeds in no area without awaiting approval, as long as they have global permissions to create collaborative feeds. The issue affects 4.1.0 Alpha 1 and higher.
VWE-2019-5391 is a Phishing issue, where user-positioned elements are not restricted within the relevant position's container. The issue affects 4.1.0 Alpha 1 and higher.
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release as soon as they are able.by Published on August 4, 2019 1:19 PM
Beginning on or about the week of August 19, 2019 until on or about the week of September 23, 2019, there will be no new releases, little to no development, and close to zero support available from admins, due to medical conflicts that will occur during that time.
We expect to be fully operational again by October 1, 2019, with some development and/or support likely returning the prior week. In the interim, skeleton staff may be available to answer very basic questions.
Please consider this expected downtime when purchasing or renewing your licenses, ordering services, or updating to new versions. We apologize for any inconvenience this will cause.by Published on July 14, 2019 12:56 PM
As of July 14, 2019, VaultWiki 4.1.0 Beta 2 is now available. This release expands XenForo 2.1 support, adds some new features, and contains about 50 fixes and tweaks.
Custom Permissions for Individual Wiki Content
In Beta 2, the Protect tab has been expanded with a "Custom Rules" section, which allows content managers to tweak the permissions of specific users for that content.
For example, if you manage a wiki page that your friend does not have permission to edit, you can grant that permission to your friend.
Alternatively, if you manage a wiki page and there are specific users who have made bad contributions, you can revoke their editing capabilities for that page.
Similar options are available for feeds and who can add entries, as well as for discussions and who can reply.
XenForo 2.x Spam Cleaning
Beta 2 integrates with XenForo 2's Spam Cleaner. Now, when moderators opt to remove all content posted by spam users, wiki content will be included in that operation.
Resolved Security Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues that were already patched on the stable branch.
VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affected 4.1.0 Alpha 2 and higher, on XenForo 2.1 and higher.
Release Notes
Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 2 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 2 is beta software. We recommend that beta software only be used in a test environment.by Published on July 12, 2019 12:55 PM
VaultWiki 4.0.27 is now available to customers with an active license. This is a maintenance release, containing about 5 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.0.27. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is 4.0.27, which should be usable on vBulletin-based and XenForo-based production sites.by Published on July 12, 2019 12:35 PM
As of July 12, the security patches for July 2019 are now available.
Issue List
VWE-2019-5275 is a Permissions Escalation issue, by which using template parameters in alternate parser types, such as plain-text, makes it possible to render content using settings from the wrong area. The issue affects VaultWiki 4.0.7 and higher, as well as patches for VWE-2015-1601. It only affects XenForo-based platforms.
Patches
As of July 12, 2019, the following patches address the aforementioned issue:
- 4.0.26 Patch Level 2
- 4.0.25 Patch Level 4
- 4.0.24 Patch Level 6
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues listed above.
VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affects 4.1.0 Alpha 2 and higher, on XenForo 2.1 or higher.
Notes
We recommend that all users running VaultWiki in a XenForo-based production environment update to a patched release.by Published on June 8, 2019 6:42 AM
As of June 7, the security patches for June 2019 are now available.
Issue List
VWE-2019-5193 is an HTML/Javascript injection issue, where by leveraging XHR requests, users may be able to embed new HTML in the requested page or save content that is rendered as HTML, without appropriate permission. It affects 4.0.0 Gamma 6 and higher.
VWE-2019-5261 is a Subscription Management issue, where imported subscriptions don't flag the correct user as having active subscriptions. While subscriptions are disabled globally, those users could be unable to manage their imported subscriptions if they don't have non-imported subscriptions too. It affects 4.0.0 Gamma 7 and higher.
Patches
As of June 7, 2019, the following patches address the aforementioned issues:
- 4.0.26 Patch Level 1
- 4.0.25 Patch Level 3
- 4.0.24 Patch Level 5
- 4.0.23 Patch Level 7*
* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in a new build of the current 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues listed above.
VWE-2019-5241 is a Permissions Escalation issue, where users can view the output of certain sidebar-type WIDGET BB-Codes without permission, as long as they have permission to view output of a specific other sidebar-type widget, which varies from case to case. The issue affects XenForo 2.x only.
VWE-2019-5244 is a Denial of Service issue, where by exploiting a bug while renaming content, malicious users can disappear pages completely. The issue affects XenForo 2.x only.
VWE-2019-5266 is a Permissions Escalation issue, by which a user can use specially crafted BB-Codes and template parameters to circumvent area parser settings. The issue affects XenForo 2.x only.
VWE-2019-5268 is a Subscription Management issue, where user requests to mass disable all email notifications for wiki subscriptions or to empty entire wiki subscription folders will not completely successfully.
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.