• Register
    • Help

    striker  0 Items
    Currently Supporting
    • Home
    • News
      • VaultWiki News
      • Visit the Wiki
    • Forum
    • Wiki
    • Support
    • What's New?
    • Buy Now
    • Manual
    • 
    • Home
    • VaultWiki News

    1. Welcome to VaultWiki.org, home of the wiki add-on for vBulletin and XenForo!

      VaultWiki allows your existing forum users to collaborate on creating and managing a site's content pages. VaultWiki is a fully-featured and fully-supported wiki solution for vBulletin and XenForo.

      The VaultWiki Team encourages you to join our community of forum administrators and check out VaultWiki for yourself.

    • VaultWiki News RSS Feed

      VaultWiki Security Update: March 2021 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on March 5, 2021 5:44 PM

      As of March 5, security patches for March 2021 are now available.

      Issue List

      VWE-2021-6177 is a Permissions Escalation issue, under which, when the last editor and original creator of a wiki page are different, the last editor of the page can protect the page so that only the creator can make changes, without the original creator's knowledge or consent. In such a case, until the original creator submits a new edit, even the original creator has no access to the controls necessary to reverse the protection. The issue affects VaultWiki 4.0.20 and higher.

      Patches

      The following patches address the aforementioned issue:
      • 4.1.1 Patch Level 3
      • 4.1.0 Patch Level 5
      • 4.1.0 RC 3 Patch Level 7
      • 4.1.0 RC 2 Patch Level 8


      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.

      VaultWiki Security Update: February 2021 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on February 5, 2021 7:50 PM

      As of February 5, security patches for February 2021 are now available.

      Issue List

      VWE-2021-6029 is a Permissions Escalation issue, by which users can bypass a required custom field by saving a meaningless value, then subsequently editing it to be blank; the subsequent edit does not complain that the required field was left blank. The issue affects VaultWiki 4.1.0 RC 2 and higher.

      VWE-2021-6038 is a Permissions Escalation issue, where an improperly incrementing database key can cause some users to see wiki navigation links based on the permissions of another user. The issue affects VaultWiki 4.0.24 and higher.

      Patches

      The following patches address the aforementioned issues:
      • 4.1.1 Patch Level 2
      • 4.1.0 Patch Level 4
      • 4.1.0 RC 3 Patch Level 6
      • 4.1.0 RC 2 Patch Level 7


      4.0.x Retires

      This week marked the 1-year anniversary of VaultWiki 4.0.28, which was the last release in the 4.0.x series. Being more than 1 year old, it is no longer eligible for security updates. Because today's security update includes issues affecting 4.0.28, it is no longer considered safe to use and has been removed from the download menu. Consequently, there is now no public access to any 4.0.x version. If you were still waiting to upgrade to 4.1.x, that time is now.

      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.

      VaultWiki Security Update: December 2020 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on December 13, 2020 3:37 PM

      As of December 13, security patches for December 2020 are now available.

      Issue List

      VWE-2020-6005 is a Permissions Escalation issue, where records of used links, wanted categories, and template usages become updated by edits that still required moderator approval. The issue affects VaultWiki 2.0.0 Beta 3 and higher, including all prior versions of the VaultWiki 3.x and 4.x series.

      VWE-2020-6013 is a Permissions Escalation issue, whereby accessing the correct URL directly, a user without permission to manage a feed's entries can access the form that allows modifying an individual entry; however, the user would not be able to save any attempted changes. The issue affects VaultWiki 4.0.0 and higher.

      VWE-2020-6019 is a Permissions Escalation issue, where users who were granted permission to disambiguate content prior to the patch for VWE-2020-5862 are forever able to perform many other unrelated tasks regardless of their other permissions. The issue affects VaultWiki 4.1.0 RC 3 and higher.

      Patches

      The following patches address the aforementioned issues:
      • 4.1.1 Patch Level 1
      • 4.1.0 Patch Level 3
      • 4.1.0 RC 3 Patch Level 5
      • 4.1.0 RC 2 Patch Level 6
      • 4.1.0 RC 1 Patch Level 7
      • 4.0.28 Patch Level 7


      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.

      VaultWiki 4.1.1 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on December 13, 2020 3:14 PM

      Last month VaultWiki 4.1.1 became available for licensed customers. This version is a maintenance release with over 50 bug fixes and style tweaks.

      For a list of changes in this release, please see Changelog for 4.1.1. If you are a style or language pack maintainer, please check here for changes which may affect you.

      VaultWiki Security Update: November 2020 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on November 8, 2020 3:18 PM

      As of November 8, security patches for November 2020 are now available.

      Issue List

      VWE-2020-5943 is a Denial of Service issue, where a sanitization issue in AJAX-submitted input allows invalid UTF-8 characters to pass verification, and could result in the prevention of moderator access to XenForo 2.x's approval queue if it contains affected content. The underlying sanitization issue has existed since 4.0.0 Gamma 6 and exists in all platforms; however, the code was never used on XenForo-based platforms in the VaultWiki 4.0.x series. The issue has been exploited in the wild as early as June 2017 on vBulletin-based platforms. The malicious effect can only be realized in the following situations:
      • vBulletin installations, running VaultWiki 4.0.0 Gamma 6 or higher when exploited, if that installation converts to XenForo 1.x running VaultWiki, and later converts to XenForo 2.x running VaultWiki.
      • XenForo installations, running VaultWiki 4.1.x or higher when exploited, if that installation now runs XenForo 2.x


      VWE-2020-5948 is a Denial of Service issue, where a malicious user may be able to a force a wiki page into a permanently moderated state by leveraging unapproved minor edits. The issue affects all versions of the VaultWiki 4.x series.

      VWE-2020-5953 is a Permissions Escalation issue, where a user can see certain non-area listings of content that exists in an area where that user has no permission to view the area's contents, as long as the user has permission to view the area's landing page. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.

      VWE-2020-5954 is a Permissions Escalation issue, where a user can see the name of a collaborative feed they don't have permission to view, as long as a page has been added to that feed already and the user has permission to add the same page to a different collaborative feed. The issue affects VaultWiki 4.0.0 and higher.

      VWE-2020-5955 is a Permissions Escalation issue, where a user can see the name of a category they don't have permission to view, as long as they have permission to edit the categories for a page that is already listed in that category. The issue affects all versions of the VaultWiki 4.x series.

      VWE-2020-5956 is a Permissions Escalation issue, where a user can see the name of a wiki page they don't have permission to view, as long as they have permission to edit translations for another page that is already a translation of that page. The issue affects all versions of the VaultWiki 4.x series.

      VWE-2020-5963 is an Expired Pointer Dereference issue, which can lead to unintentional data corruption or data loss. When purging the current revision of a page, both the actioned page and another unrelated page may become damaged. The issue affects the actioned page in all versions of the VaultWiki 4.x series, and the additional unrelated page in 4.0.0 and higher.

      Patches

      The following patches address the aforementioned issues:
      • 4.1.0 Patch Level 2
      • 4.1.0 RC 3 Patch Level 4
      • 4.1.0 RC 2 Patch Level 5
      • 4.1.0 RC 1 Patch Level 6
      • 4.0.28 Patch Level 6


      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.

      VaultWiki Security Update: September 2020 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on September 28, 2020 3:47 PM

      As of September 28, security patches for September 2020 are now available.

      Issue List

      VWE-2020-5875 is a Permissions Escalation issue, whereby if there is an existing upload a user and others don't have permission to view, the user can create a duplicate of that upload in an area where they do have permission, if the user can guess the file's hash. The issue affects all versions of VaultWiki 4.x series.

      VWE-2020-5930 is a Permissions Escalation issue, where by leveraging template inclusions, for a template that contains media-related BB-Codes in an area that disallows such tags, these tags might might parsed within the context of a different area that does allow them. The issue affects VaultWiki 4.0.9 and higher.

      VWE-2020-5937 is a Permissions Escalation issue, where by leveraging page-level whitelists, a lower-level user could revoke an administrator's or moderator's permission to modify affected pages. The issue affects VaultWiki 4.1.0 Beta 2 and higher.

      Patches

      The following patches address the aforementioned issues:
      • 4.1.0 Patch Level 1
      • 4.1.0 RC 3 Patch Level 3
      • 4.1.0 RC 2 Patch Level 4
      • 4.1.0 RC 1 Patch Level 5
      • 4.0.28 Patch Level 5


      Notes

      We recommend that all users running VaultWiki in a production environment update to a patched release.

      VaultWiki 4.1.0 

      by
      pegasus
      • View Profile
      • View Forum Posts
      • View Blog Entries
      • Visit Homepage
      • View Articles
      Published on August 12, 2020 6:36 PM

      After several successful rounds of release candidates, we are pleased to announce VaultWiki 4.1.0. Bug reports since the last release candidate have quieted to such a degree that we are comfortable labeling this release as stable.

      Aside from all the new features that 4.1.0 betas introduced, this release includes over 80 bug fixes, resolving issues discovered in the last round and during our continuous internal code review process.

      XenForo 2.2.x Compatibility

      While we were wrapping up this release, XenForo 2.2.x Betas became public, and we learned that previous versions of VaultWiki would not run on those versions without encountering fatal errors and other showstopper issues. So we took some additional time to ensure that VaultWiki 4.1.0 would run under those new XenForo 2.2.x versions.

      Thus, VaultWiki 4.1.0 is the first version that will run on XenForo 2.2.x. However, please note that we have not implemented any new XenForo 2.2.x features at this time.

      Looking Ahead

      Over the coming months, our main focus will be migrating this site to XenForo 2. In addition to the normal forum, wiki, and other add-ons, there is a significant amount of in-house code that has to be rewritten for XenForo 2. So the migration will occur as soon as it is feasible.

      At the same time, main development now turns to the next feature branch of VaultWiki. For the life of 4.1.x, we expect future releases to mainly be for maintenance; that is, bug fixes or fixing style issues.

      As mentioned elsewhere, there will be no further releases in the 4.0.x series, except security patches for the rest of its supported life, which is roughly 6 months from the time of writing. If you are still running 4.0.x, you should endeavor to upgrade before that time.

      VaultWiki 4.1.x will be the last series to support vBulletin 3.x, vBulletin 4.0.x-4.1.x, XenForo 1.x, and XenForo 2.0.x. While there is plenty of life left for this branch, please be aware that you should aim to upgrade your forum to a newer version at some point, or you may find yourself unable to upgrade to the next branch.

      Release Notes

      VaultWiki 4.1.0 is now considered stable. We recommend that customers using earlier versions in a live environment update as soon as they are able.

      Page 1 of 28 12311 ... Next LastLast
    • Contact Us
    • License Agreement
    • Privacy
    • Terms
    • Top
    All times are GMT -4. The time now is 11:55 AM.
    This site uses cookies to help personalize content, to tailor your experience, and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Learn more… Accept Remind me later
  • striker
    Powered by vBulletin® Version 4.2.5 Beta 2
    Copyright © 2021 vBulletin Solutions Inc. All rights reserved.
    Search Engine Optimisation provided by DragonByte SEO (Pro) - vBulletin Mods & Addons Copyright © 2021 DragonByte Technologies Ltd.
    Copyright © 2008 - 2013 VaultWiki Team, Cracked Egg Studios, LLC.