VaultWiki News

As of February 20, security patches for February 2025 are now available.

Issue List

VWE-2025-6644 is a Denial of Service issue, where a user can replace regular non-wiki content with a fatal error by posting a GALLERY tag. The issue affects VaultWiki 4.1.6 and higher, on vBulletin and XenForo 1.x platforms only.

VWE-2025-6645 is a Permissions Escalation issue, where a sandbox break can occur while rendering a BB-Code tag with parsible advanced-style tag options, which generally applies to all BB-Code tags with advanced-style tag options, such as unfurlable URL tags, when used within a wiki template context. Such a tag's child content that should normally be unrendered according to sandbox rules may be unexpectedly rendered anyway. The issue affects all versions of the VaultWiki 4.1.x series, on XenForo 2.x platforms only.

VWE-2025-6646 is an Upgrade issue, where initiating the upgrade process could trigger a fatal error. The issue affects VaultWiki 4.1.8 Patch Level 1, on XenForo 2.x platforms only.

Patches

The following patches address the aforementioned issues:

• 4.1.8 Patch Level 2

Notes

We highly recommend that all users running VaultWiki in a production environment update to a patched release.

As of January 5, security patches for January 2025 are now available.

Issue List

VWE-2024-6630 is a Permissions Escalation issue, where a user can rename content even though they don't have permission to rename content, by modifying the HTML structure of the editor interface in their browser prior to submission. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.

VWE-2024-6631 is a Permissions Escalation issue, where a user who has permission to rename content can create synonyms using the previous name even though they don't have permission to create synonyms. The issue effects all versions of the VaultWiki 4.x series.

VWE-2024-6632 is a Permissions Escalation issue, where a user can change an existing page into an anonymous page without generating a synonym using the previous name even though they don't have permission to remove the existing page. The issue affects all versions of the VaultWiki 4.x series.

VWE-2024-6633 is a Backup Restoration issue, where the fully-qualified values of class locations are hardcoded into cache, which is not portable when the database is migrated to another server or directory location on a different day, preventing the software from functioning at the new location. The issue affects VaultWiki 4.1.7 and higher.

VWE-2024-6634 is a Denial of Service issue, where a user who has permission to roll back page revisions can inadvertently make the page inaccessible, unavailable to various search filters, or prevent certain BB-Codes from correctly rendering references to the page, if certain changes to the page are affected by the rollback. The issue affects all versions of the VaultWiki 4.x series.

VWE-2024-6636 is an Incorrect Synchronization issue, where fetching a page with node-level behaviors before routing to that same page can cause an unexpected result when a page with different behaviors is fetched afterwards, which may additionally result in data loss if the latter page is to be modified. The issue affects all versions of the VaultWiki 4.x series.

VWE-2024-6637-1 is an Upgrade issue, where upgrading to VaultWiki for XenForo 2.3 directly from VaultWiki for XenForo 1.x results in wiki moderators that do not have access to the approval queue. The issue affects VaultWiki 4.1.8 and higher, but only on XenForo 2.3 and higher.

VWE-2024-6637-2 is an Upgrade issue, where upgrading to a VaultWiki for XenForo 2.x version of 4.1.3 or later directly from VaultWiki for XenForo 1.x results in VaultWiki unable to find its own database tables partway through the upgrade process and permanently thereafter. The issue affects VaultWiki 4.1.3 and higher, on XenForo 2.x platforms only.

• The patch prevents the issue from occurring in the future. If you are already experiencing this issue, manually execute the following MySQL query:
  
  Code:

  INSERT IGNORE INTO vw_patchinfo
  SELECT `version`, `label`
  FROM xf_vw_patchinfo

VWE-2024-6638 is an Upgrade issue, where upgrading to a VaultWiki for XenForo 2.x version of 4.1.6 or later directly from VaultWiki for XenForo 1.x, while another add-on is already installed that extends XenForo's parser classes, VaultWiki is unable to extend the parser classes needed to complete the upgrade. The issue affects VaultWiki 4.1.6 and higher, on XenForo 2.x platforms only.

VWE-2024-6639 is a Permissions Escalation issue, where wiki content stored at the wiki index ignores the wiki index's rules and permissions for what types of syntax may be parsed. The issue affects all versions of the VaultWiki 4.x series, in PHP versions prior to the 8.x series only.

Patches

The following patches address the aforementioned issues:

• 4.1.8 Patch Level 1

VaultWiki 3.x Issues

Even though the VaultWiki 3.x series has not been updated for a decade and no longer receives patches, we do occasionally discover new issues affecting that series which require disclosure. As has been the guidance for many years now, anyone still running VaultWiki 3.x (or earlier!) in a production environment should upgrade to a supported version of VaultWiki 4.x immediately.

VWE-2024-0235-1 is an Arbitrary Code Execution issue, where a malicious user can post specially-crafted [HTML] BB-Code tags within wiki content and execute arbitrary PHP code on the server. The issue affects all versions of the VaultWiki 2.x and 3.x series.

Notes

We strongly recommend that all users running VaultWiki in a production environment update to a patched release.

As of September 23, VaultWiki 4.1.8 is now available for licensed customers. This version contains over 180 bug fixes and tweaks, and introduces support for new versions of XenForo and PHP.

For a list of changes in this release, please see Changelog for 4.1.8. If you are a style or language pack maintainer, please check here for changes which may affect you.

XenForo 2.3 Support

VaultWiki 4.1.8 adds support for XenForo 2.3 and its new features such as featured content, trending content, and content embeds. For the best stability and feature support, XenForo 2.3.2 or higher is recommended.

WARNING! Because XenForo 2.3 includes significant changes to its architecture, you must follow the following procedure when upgrading a XenForo 2.2 installation that already has VaultWiki, or you will encounter site breaking errors. We highly recommend performing a test upgrade on a test copy of your site before attempting to upgrade your live site.

1. While running XenForo 2.2, in the AdminCP, go to Add-ons > Add-ons, and disable VaultWiki.
2. Upload the XenForo 2.3 files and upgrade XenForo to version 2.3.
3. Upload the contents of the VaultWiki 4.1.8 package for XenForo 2.3.
4. In the AdminCP, go to Add-ons > Add-ons, and re-enable VaultWiki.
5. On the same page, click the button to "Upgrade" VaultWiki.

Release Notes

VaultWiki 4.1.8 improves product stability. We encourage everyone using VaultWiki to update to this release for the best experience and compatibility.

As of September 7, security patches for September 2024 are now available.

This patch addresses a minor Permissions Escalation issue (VWE-2024-6542), where users are able to post wiki content containing more than the maximum number of IMG, MEDIA, and XFMG's GALLERY tags, as defined by the options Maximum images per message and Maximum media per message. The issue only applies to XenForo-based environments.

The patch addresses the issue by applying these options as follows:

• Wiki comments: Tags are counted the same as normal forum posts.
• Wiki pages and other content: Tags are totaled across the main content, any custom field values, and within included templates.

The following patches address the aforementioned issue:

• 4.1.7 Patch Level 3

If you limit the maximum number of these tags in forum messages, you may wish to update to a patched release so that the limit also applies to wiki content. A future version will include separate options for wiki page content, in case you prefer to have a higher maximum value than for regular forum posts.

As of June 11, security patches for June 2024 are now available.

This patch addresses a Compatibility Break issue (VWE-2024-6541) caused by new changes in XenForo versions 2.1.15 and 2.2.16, which prevents VaultWiki's bundled Javascript functionality from working properly and quickly fills the forum's Server Error Logs.

The following patches address the aforementioned issue:

• 4.1.7 Patch Level 2

We strongly recommend that all users running VaultWiki in a XenForo-based production environment update to a patched release, if they have already upgraded to the affected XenForo versions or if they plan to.

As of March 8, security patches for March 2024 are now available.

Issue List

VWE-2024-6530 is an Uninstall issue, where uninstallation is interrupted by an E_WARNING if there is a wiki moderator who is neither a super moderator nor a moderator of non-wiki content. The issue affects VaultWiki 4.1.0 Beta 4 and higher, on XenForo 2.x-based platforms only.

VWE-2024-6531 is an Install issue, where a database error prevents access to the install script. The issue affects VaultWiki 4.1.7 and higher, on vBulletin-based platforms only.

VWE-2024-6532 is an Uninstall issue, where a fatal error prevents access to the uninstall script. The issue affects all versions of the VaultWiki 4.1.x series, on XenForo 1.x-based platforms only.

VWE-2024-6534 is an Install issue, where the moderator creation popup does not appear if existing usergroups contain non-UTF-8 characters, preventing the install process from completing. The issue affects all versions of the VaultWiki 4.1.x series, on vBulletin-based platforms only.

VWE-2024-6535 is an Install issue, where a fatal error occurs during installation of default option values. The issue affects VaultWiki 4.1.5 and higher, on XenForo 1.x-based platforms only.

VWE-2024-6537 is a Data Loss issue, where a user who leaves all wiki social groups, or who is a wiki moderator that is removed as wiki moderator, will be removed from all secondary user groups. The issue affects VaultWiki 4.0.9 and higher, on vBulletin-based platforms only.

VWE-2024-6538 is a Permissions Escalation issue, where administrators receive an error when attempting to edit custom permissions for guests within a specific area, preventing them from revoking permissions in that area. The issue affects VaultWiki 4.1.5 and higher, on XenForo-based platforms only.

VWE-2024-6539 is an Install issue, where a fatal error occurs when installing default wiki content, due to a flawed workaround for a bug in XenForo 2.2.13 that leaves parser classes unavailable during installation. The issue affects VaultWiki 4.1.7, on XenForo 2.x-based platforms only.

Patches

The following patches address the aforementioned issues:

• 4.1.7 Patch Level 1

Notes

We strongly recommend that all users running VaultWiki in a vBulletin-based production environment update to a patched release. We recommend that all users running VaultWiki in a XenForo-based production environment update to a patched release.