-
VaultWiki News
by Published on October 10, 2018 1:48 PM
As of October 10, 2018, the regularly scheduled security patches for October are available.
Issue List
VWE-2018-4662 is a Permissions Escalation issue, where users who can disconnect children from node-types can also remove reports about those children. This issue affects VaultWiki 4.0.8 and higher, but only affects XenForo-based installations.
VWE-2018-4666 is a Phishing issue, where it is possible to position user-generated content outside of its container by using specially-crafted custom sidebar block headings. This issue affects VaultWiki 4.0.0 RC 1 and higher, but does not affect Lite versions.
VWE-2018-4667 is a Permissions Escalation issue, by which a user viewing a feed can view wiki content that they don't have permission to view, when that content appears within the viewed feed. This issue affects VaultWiki 4.0.0 and higher.
VWE-2018-4670 is a Denial of Service Amplification issue, where a lack of limits on template usage may allow specially crafted wiki pages and underlying wiki templates to execute many thousands of MySQL queries on that wiki page, which may cause MySQL or PHP to become unresponsive under load. This issue affects all versions of VaultWiki running on XenForo-based installations, but does not affect Lite versions.
VWE-2018-4671 is an On-Site Alert issue, by which an invalid key utilized by the alerts system may result in users receiving on-site alerts for modifications to watched content even though they have opted out via their Alert Preferences. This issue affects all versions of VaultWiki running on XenForo-based installations.
VWE-2018-4673 is a GDPR-related issue, where VaultWiki's data storage and retention processes may be in conflict with the site's IP-address handling policy if the site's own processes and policies were written based on the XenForo admin options for IP pruning alone. The patch resolves the issue by making VaultWiki IP retention consistent with XenForo's IP pruning settings. The conflict exists in all versions of VaultWiki running on XenForo 1.2 and higher.
Patches
The following patches, issued October 8, 2018, address the aforementioned issues:
- 4.0.24 Patch Level 1
- 4.0.23 Patch Level 3
- 4.0.22 Patch Level 5
- 4.0.21 Patch Level 6
- 4.0.20 Patch Level 9
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on September 7, 2018 1:14 PM
VaultWiki 4.0.24 is available today to customers with an active license. This is primarily a maintenance release, containing about 50 bug fixes and style tweaks.
For a list of changes in this release please see Changelog for 4.0.24. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is 4.0.24, which should be usable on vBulletin-based and XenForo-based production sites.by Published on August 27, 2018 3:24 PM
As of August 27, 2018, the regularly scheduled security patches for August are now available.
Issue List
VWE-2018-4625 is a Denial of Service Amplification issue, by which a distributed attack that posts comments to a single wiki discussion may be able to achieve denial of service, due to a flaw in the quick reply handler. Under vBulletin, the issue affects all prior versions of VaultWiki 4.x series. Under XenForo 1.x, the issue affects VaultWiki 4.0.0 Beta 7 and higher.
VWE-2018-4626 is a Data Loss issue, where some database keys may not be successfully created. The issue affects the July 2018 patches.
VWE-2018-4627 is a Data Loss issue, where the patches for VWE-2017-4033 do not successfully prevent accidental deletion of the wiki index or wiki areas and all contents, if not careful when using the Mass Delete function. The issue affects VaultWiki 4.0.18 and higher, but it does not affect Lite versions.
VWE-2018-4630 is a Permissions Escalation issue, where if a user has permission to view a wiki node, that user can view an RSS feed which contains a list of its contents, even though the user does not have permission to view a list of the node's contents. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.
VWE-2018-4631 is a Data Loss issue, where when editing an existing integration, the already-injected content may not be selected. If the integration is saved without re-selecting the content, the existing integration would be removed. The issue affects VaultWiki 4.0.23 and higher, but it does not affect Lite versions.
VWE-2018-4632 is a Permissions Escalation issue, where a fatal error after re-parenting an area may prevent area permissions from being inherited correctly. The issue affects VaultWiki 4.0.21 and higher, but it does not affect Lite versions.
Patches
The following patches, issued August 27, 2018, address the aforementioned issues:
- 4.0.23 Patch Level 2
- 4.0.22 Patch Level 4
- 4.0.21 Patch Level 5
- 4.0.20 Patch Level 8
- 4.0.19 Patch Level 11*
*A patch was issued for 4.0.19 even though it reached its end of life earlier this August, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on July 18, 2018 4:10 PM
As of July 18, 2018, the regularly scheduled security patches for July are now available.
Issue List
VWE-2018-4610 is a Permissions Escalation issue, by which a user may be able to view link statistics for a page even though that user has no permission to view the same page. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions.
VWE-2018-4614 is a Permissions Escalation issue, which could lead to Denial of Service. In some situations, disk space usage limits are not enforced. The issue affects VaultWiki 4.0.22 and higher, but it does not affect Lite versions.
VWE-2018-4618 is a Permissions Escalation issue, by which a user can view templated content even though that user has no permission to view the template. The issue affects all prior versions of VaultWiki 2.x, 3.x, and 4.x, but it does not affect Lite versions. Note that after applying this patch, in order to view templated content, a user must have permission to view the contents of the area that contains the template.
VWE-2018-4620 is a Legal issue, where under some versions of PHP, a user may be able to successfully upload a JPG image containing XMP metadata that is not preserved, as required by some laws, in resized versions of the image. The issue affects patches for VWE-2017-4030, and VaultWiki versions 4.0.20 and higher, but it does not affect Lite versions.
Patches
The following patches, issued July 18, 2018, address the aforementioned issues:
- 4.0.23 Patch Level 1
- 4.0.22 Patch Level 3
- 4.0.21 Patch Level 4
- 4.0.20 Patch Level 7
- 4.0.19 Patch Level 10
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on June 25, 2018 1:54 PM
As of June 13, 2018, VaultWiki 4.0.23 was released and is available to customers with an active license. This is primarily a maintenance release, containing about 20 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.0.23. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is VaultWiki 4.0.23, which should be usable on vBulletin-based and XenForo-based production sites.by Published on June 13, 2018 3:11 PM
As of June 13, 2018, the regularly scheduled security patches for June are now available.
Issue List
VWE-2018-4573 is a Denial of Service issue, involving a design flaw in the wiki session handler. It affects VaultWiki 4.0.13 and higher.
VWE-2018-4574 is a Permissions Escalation issue, in which a moderator may be able to move wiki content into a wiki area where that moderator has no permission. It affects all versions of the VaultWiki 4.x series.
Patches
The following patches, issued June 13, 2018, address the aforementioned issues:
- 4.0.22 Patch Level 2
- 4.0.21 Patch Level 3
- 4.0.20 Patch Level 6
- 4.0.19 Patch Level 9
- 4.0.18 Patch Level 10*
*A patch was issued for 4.0.18 even though it reached its end of life this May, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on May 17, 2018 9:16 PM
As of May 16, 2018, the regularly scheduled security patches for March are now available.
Issue List
VWE-2018-4535 is a Permissions Escalation issue, in which users may be able to use prefixes that are not allowed by the current wiki area, if the area allows a different prefix with an overlapping name. The issue affects all previous versions of the VaultWiki 4.x series, but does not affect Lite versions.
VWE-2018-4536 is a Denial of Service issue, in which an attack may queue enough counter increments that attempting to resolve the increment queue can fail. The issue affects all previous versions of the VaultWiki 4.x series.
Patches
The following patches, issued May 16, 2018, address the aforementioned issues:
- 4.0.22 Patch Level 1
- 4.0.21 Patch Level 2
- 4.0.20 Patch Level 5
- 4.0.19 Patch Level 8
- 4.0.18 Patch Level 9
We recommend that all users running VaultWiki in a production environment update to a patched release.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.