-
VaultWiki News
by Published on June 6, 2021 1:33 PM
As of June 6, security patches for June 2021 are now available.
Issue List
VWE-2021-6097 is a MySQL Injection issue, where users may be able to perform arbitrary MySQL by utilizing a flaw in platform-based attachment management. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6098 is a Permissions Escalation issue, where a user can associate platform-based attachments to wiki comments, even though those attachments were uploaded by another user account with different attachment permissions and/or quotas, or by the same user account under a different context with different attachment permissions and/or quotas. The issue affects all versions of the VaultWiki 4.x series.*
* Please be aware that variations of the same issue also affect basic content-types on stock installations of both vBulletin and XenForo. XenForo developers have been notified of the issue, but as of this notice, the issue has not yet been addressed. Since vBulletin 4.x and lower is already end-of-life, this would never be patched by vBulletin's developers. In the absence of a patch, the only way to prevent this issue from being exploited would be to disable all platform-based attachments (posts, conversations, etc) that are not patched. Also, depending on the method, a future XenForo patch could break the fix that we have applied to wiki comments.
VWE-2021-6099 is a Permissions Escalation issue, where a malicious user who can edit the wiki index can also change the index into a sub-area, or who can edit index-level feeds can move those feeds to another area. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.
VWE-2021-6100 is an HTML Injection issue, where when previewing content or display an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6101 is an HTML Injection issue, where when previewing content or display an error, an editor field is presented again after submission without reencoding the submitted value. The issue affects all versions of the VaultWiki 4.x series, but only on vBulletin-based platforms.
VWE-2021-6102 is an HTML Injection issue, where usernames are not displayed consistently in an escaped format. The issue affects all versions of the VaultWiki 4.x series, but only on XenForo-based platforms.
VWE-2021-6103 is an HTML Injection issue, where certain IP address values are not displayed in an escaped format. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6104 is an HTML Injection issue, where certain fields are not escaped properly in the wiki's RSS feeds. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6105 is a Permissions Escalation issue, where a user can associate wiki-based files to wiki attachments, even though those files were uploaded under a different context with different attachment permissions, or even though those files are associated to an existing attachment that was created by another user or context with different attachment permissions. The issue affects all versions of the VaultWiki 2.x, 3.x, and 4.x series.
VWE-2021-6106 is a Permissions Escalation issue, where a user can upload wiki-based files even though those files are not permitted in the selected target area. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6107 is a Permissions Escalation issue, where it is possible to upload an image with dimensions larger than the maximum permitted dimensions via a specially-crafted image file that exceeds the maximum permitted file size. The issue affects all versions of the VaultWiki 4.x series.
Patches
The following patches address the aforementioned issues:
- 4.1.1 Patch Level 5
- 4.1.0 Patch Level 7
- 4.1.0 RC 3 Patch Level 9*
*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
Notes
We strongly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on May 3, 2021 1:00 PM
As of May 3, security patches for May 2021 are now available.
Issue List
VWE-2021-6051 is a MySQL Injection issue, where a malicious administrator can execute arbitrary MySQL statements by utilizing a flaw in integration position management. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.
VWE-2021-6076 is an HTML Injection issue, where a malicious editor can save specially crafted content that is later loaded as WYSIWYG editor content by an unsuspecting user editing the same page, and if the second user opens certain editor dialogs while having that content selected, the content can be displayed to the user unescaped. The issue affects all versions of the VaultWiki 4.x series.
VWE-2021-6087 is a Denial of Service issue, where a malicious editor can leverage fatal errors in handling of the WIDGET BB-Code's "sidebar" variant in order to cause any page they edit to resolve as a fatal error. The issue affects VaultWiki 4.1.0 Alpha 1 and higher, but only on XenForo 2.x platforms.
Patches
The following patches address the aforementioned issues:
- 4.1.1 Patch Level 4
- 4.1.0 Patch Level 6
- 4.1.0 RC 3 Patch Level 8
Notes
We strongly recommend that all users running VaultWiki in a production environment update to a patched release.by Published on March 5, 2021 5:44 PM
As of March 5, security patches for March 2021 are now available.
Issue List
VWE-2021-6177 is a Permissions Escalation issue, under which, when the last editor and original creator of a wiki page are different, the last editor of the page can protect the page so that only the creator can make changes, without the original creator's knowledge or consent. In such a case, until the original creator submits a new edit, even the original creator has no access to the controls necessary to reverse the protection. The issue affects VaultWiki 4.0.20 and higher.
Patches
The following patches address the aforementioned issue:
- 4.1.1 Patch Level 3
- 4.1.0 Patch Level 5
- 4.1.0 RC 3 Patch Level 7
- 4.1.0 RC 2 Patch Level 8
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on February 5, 2021 7:50 PM
As of February 5, security patches for February 2021 are now available.
Issue List
VWE-2021-6029 is a Permissions Escalation issue, by which users can bypass a required custom field by saving a meaningless value, then subsequently editing it to be blank; the subsequent edit does not complain that the required field was left blank. The issue affects VaultWiki 4.1.0 RC 2 and higher.
VWE-2021-6038 is a Permissions Escalation issue, where an improperly incrementing database key can cause some users to see wiki navigation links based on the permissions of another user. The issue affects VaultWiki 4.0.24 and higher.
Patches
The following patches address the aforementioned issues:
- 4.1.1 Patch Level 2
- 4.1.0 Patch Level 4
- 4.1.0 RC 3 Patch Level 6
- 4.1.0 RC 2 Patch Level 7
4.0.x Retires
This week marked the 1-year anniversary of VaultWiki 4.0.28, which was the last release in the 4.0.x series. Being more than 1 year old, it is no longer eligible for security updates. Because today's security update includes issues affecting 4.0.28, it is no longer considered safe to use and has been removed from the download menu. Consequently, there is now no public access to any 4.0.x version. If you were still waiting to upgrade to 4.1.x, that time is now.
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on December 13, 2020 3:37 PM
As of December 13, security patches for December 2020 are now available.
Issue List
VWE-2020-6005 is a Permissions Escalation issue, where records of used links, wanted categories, and template usages become updated by edits that still required moderator approval. The issue affects VaultWiki 2.0.0 Beta 3 and higher, including all prior versions of the VaultWiki 3.x and 4.x series.
VWE-2020-6013 is a Permissions Escalation issue, whereby accessing the correct URL directly, a user without permission to manage a feed's entries can access the form that allows modifying an individual entry; however, the user would not be able to save any attempted changes. The issue affects VaultWiki 4.0.0 and higher.
VWE-2020-6019 is a Permissions Escalation issue, where users who were granted permission to disambiguate content prior to the patch for VWE-2020-5862 are forever able to perform many other unrelated tasks regardless of their other permissions. The issue affects VaultWiki 4.1.0 RC 3 and higher.
Patches
The following patches address the aforementioned issues:
- 4.1.1 Patch Level 1
- 4.1.0 Patch Level 3
- 4.1.0 RC 3 Patch Level 5
- 4.1.0 RC 2 Patch Level 6
- 4.1.0 RC 1 Patch Level 7
- 4.0.28 Patch Level 7
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.by Published on December 13, 2020 3:14 PM
Last month VaultWiki 4.1.1 became available for licensed customers. This version is a maintenance release with over 50 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.1.1. If you are a style or language pack maintainer, please check here for changes which may affect you.by Published on November 8, 2020 3:18 PM
As of November 8, security patches for November 2020 are now available.
Issue List
VWE-2020-5943 is a Denial of Service issue, where a sanitization issue in AJAX-submitted input allows invalid UTF-8 characters to pass verification, and could result in the prevention of moderator access to XenForo 2.x's approval queue if it contains affected content. The underlying sanitization issue has existed since 4.0.0 Gamma 6 and exists in all platforms; however, the code was never used on XenForo-based platforms in the VaultWiki 4.0.x series. The issue has been exploited in the wild as early as June 2017 on vBulletin-based platforms. The malicious effect can only be realized in the following situations:
- vBulletin installations, running VaultWiki 4.0.0 Gamma 6 or higher when exploited, if that installation converts to XenForo 1.x running VaultWiki, and later converts to XenForo 2.x running VaultWiki.
- XenForo installations, running VaultWiki 4.1.x or higher when exploited, if that installation now runs XenForo 2.x
VWE-2020-5948 is a Denial of Service issue, where a malicious user may be able to a force a wiki page into a permanently moderated state by leveraging unapproved minor edits. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5953 is a Permissions Escalation issue, where a user can see certain non-area listings of content that exists in an area where that user has no permission to view the area's contents, as long as the user has permission to view the area's landing page. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.
VWE-2020-5954 is a Permissions Escalation issue, where a user can see the name of a collaborative feed they don't have permission to view, as long as a page has been added to that feed already and the user has permission to add the same page to a different collaborative feed. The issue affects VaultWiki 4.0.0 and higher.
VWE-2020-5955 is a Permissions Escalation issue, where a user can see the name of a category they don't have permission to view, as long as they have permission to edit the categories for a page that is already listed in that category. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5956 is a Permissions Escalation issue, where a user can see the name of a wiki page they don't have permission to view, as long as they have permission to edit translations for another page that is already a translation of that page. The issue affects all versions of the VaultWiki 4.x series.
VWE-2020-5963 is an Expired Pointer Dereference issue, which can lead to unintentional data corruption or data loss. When purging the current revision of a page, both the actioned page and another unrelated page may become damaged. The issue affects the actioned page in all versions of the VaultWiki 4.x series, and the additional unrelated page in 4.0.0 and higher.
Patches
The following patches address the aforementioned issues:
- 4.1.0 Patch Level 2
- 4.1.0 RC 3 Patch Level 4
- 4.1.0 RC 2 Patch Level 5
- 4.1.0 RC 1 Patch Level 6
- 4.0.28 Patch Level 6
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.