-
VaultWiki News
by Published on November 15, 2019 10:23 AM
As of November 15, the security patches for November 2019 are now available.
Issue List
VWE-2019-5425 is a Permissions escalation, where users can view the output of embedded templates that were soft-deleted or rejected, even if they don't have staff permissions, as long as the page where the template was embedded was cached when viewed by another user who had the appropriate permission. The issue affects all versions of the VaultWiki 4.x series.
Patches
The following patches address the aforementioned issues:
- 4.0.27 Patch Level 2
- 4.0.26 Patch Level 4
- 4.0.25 Patch Level 6
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the issue listed above is patched in a new build in the 4.1.x branch, 4.1.0 Beta 4 build 005. In addition, the following issue is known to have affected a prior build. To stay protected, please make sure you are running the latest build of the beta.
VWE-2019-5416 is a Permissions escalation, where wiki page contents are rendered using the viewing user's parser-related permissions for wiki comments that they post, rather than the appropriate parser-related area settings for wiki pages. The issue affects early downloads of 4.1.0 Beta 4 build 001 only, and only on vBulletin 4.x platforms. Users already running a later build or using VaultWiki on a different platform are not affected by this issue.
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release as soon as they are able.by Published on October 12, 2019 6:59 PM
VaultWiki 4.1.0 Beta 4 is now available for download. This is primarily a maintenance release, containing at least 60 fixes and tweaks.
For a list of changes in this release, please see Changelog for 4.1.0 Beta 4. If you are a style or language pack maintainer, please check here for changes which may affect you.
State of the Beta
As some people may be aware, we originally intended to only have 3 beta releases for 4.1.x; however, due to last month's down time, we released an unpolished and unannounced Beta 3 beforehand in order to tide folks over.
But as the number of unresolved issues in the bug tracker approaches that of typical stable releases, and with only 1 more planned feature to roll out in 4.1.x, we fully expect that the next release will be proposed as stable -- that is, a Release Candidate.
Release Notes
Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 4 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 4 is beta software. We recommend that beta software only be used in a test environment.by Published on October 12, 2019 1:50 PM
As of October 12, the security patches for October 2019 are now available.
Issue List
VWE-2019-5363 is a Permissions Escalation issue, where users are able to make unmoderated edits to the index and area pages, as long as they can make unmoderated edits to regular pages. The issue affects all versions of the 4.x series.
VWE-2019-5360 is a Permissions Escalation issue, where users can accidentally rename pages with HTML entities in the title, even if they don't have permission to rename pages. The issue affects all versions of the 4.x series.
VWE-2019-5375 is a Permissions Escalation issue, where regardless of other applicable types, users can rename any attachment as long as they have permission to rename attachments, and can rename other types of pages as long as they have permission to rename regular pages. The issue affects all versions of the 4.x series.
Patches
The following patches address the aforementioned issues:
- 4.0.27 Patch Level 1
- 4.0.26 Patch Level 3
- 4.0.25 Patch Level 5
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 4, in addition to any relevant issues listed above.
VWE-2019-5361 is a Permissions Escalation issue, where users can create new collaborative feeds in no area without awaiting approval, as long as they have global permissions to create collaborative feeds. The issue affects 4.1.0 Alpha 1 and higher.
VWE-2019-5391 is a Phishing issue, where user-positioned elements are not restricted within the relevant position's container. The issue affects 4.1.0 Alpha 1 and higher.
Notes
We recommend that all users running VaultWiki in a production environment update to a patched release as soon as they are able.by Published on August 4, 2019 2:19 PM
Beginning on or about the week of August 19, 2019 until on or about the week of September 23, 2019, there will be no new releases, little to no development, and close to zero support available from admins, due to medical conflicts that will occur during that time.
We expect to be fully operational again by October 1, 2019, with some development and/or support likely returning the prior week. In the interim, skeleton staff may be available to answer very basic questions.
Please consider this expected downtime when purchasing or renewing your licenses, ordering services, or updating to new versions. We apologize for any inconvenience this will cause.by Published on July 14, 2019 1:56 PM
As of July 14, 2019, VaultWiki 4.1.0 Beta 2 is now available. This release expands XenForo 2.1 support, adds some new features, and contains about 50 fixes and tweaks.
Custom Permissions for Individual Wiki Content
In Beta 2, the Protect tab has been expanded with a "Custom Rules" section, which allows content managers to tweak the permissions of specific users for that content.
For example, if you manage a wiki page that your friend does not have permission to edit, you can grant that permission to your friend.
Alternatively, if you manage a wiki page and there are specific users who have made bad contributions, you can revoke their editing capabilities for that page.
Similar options are available for feeds and who can add entries, as well as for discussions and who can reply.
XenForo 2.x Spam Cleaning
Beta 2 integrates with XenForo 2's Spam Cleaner. Now, when moderators opt to remove all content posted by spam users, wiki content will be included in that operation.
Resolved Security Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues that were already patched on the stable branch.
VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affected 4.1.0 Alpha 2 and higher, on XenForo 2.1 and higher.
Release Notes
Sites running 4.1.x Betas should upgrade to VaultWiki 4.1.0 Beta 2 as soon as they are able in order to improve stability. VaultWiki 4.1.0 Beta 2 is beta software. We recommend that beta software only be used in a test environment.by Published on July 12, 2019 1:55 PM
VaultWiki 4.0.27 is now available to customers with an active license. This is a maintenance release, containing about 5 bug fixes and style tweaks.
For a list of changes in this release, please see Changelog for 4.0.27. If you are a style or language pack maintainer, please check here for changes which may affect you.
Release Notes
The current release is 4.0.27, which should be usable on vBulletin-based and XenForo-based production sites.by Published on July 12, 2019 1:35 PM
As of July 12, the security patches for July 2019 are now available.
Issue List
VWE-2019-5275 is a Permissions Escalation issue, by which using template parameters in alternate parser types, such as plain-text, makes it possible to render content using settings from the wrong area. The issue affects VaultWiki 4.0.7 and higher, as well as patches for VWE-2015-1601. It only affects XenForo-based platforms.
Patches
As of July 12, 2019, the following patches address the aforementioned issue:
- 4.0.26 Patch Level 2
- 4.0.25 Patch Level 4
- 4.0.24 Patch Level 6
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in the next release of the 4.1.x branch, 4.1.0 Beta 2, in addition to any relevant issues listed above.
VWE-2019-5280 is a Subscription Management issue, where users may receive push notifications about wiki content, even though they have opted out of those notifications, as long as they are opted in to the corresponding alerts. The issue affects 4.1.0 Alpha 2 and higher, on XenForo 2.1 or higher.
Notes
We recommend that all users running VaultWiki in a XenForo-based production environment update to a patched release.
This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.
By continuing to use this site, you are consenting to our use of cookies.