The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name VerQuatch Vulnerability VWE-ID VWE-2016-3063 Related Report None Severity HIGH Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Local File Inclusion. In PHP < 5.3.3, also Remote Code Execution.
Discovered November 14, 2016 Resolved November 15, 2016 Patches Available 4.0.15 Patch Level 1
4.0.14 Patch Level 4
4.0.13 Patch Level 4
4.0.12 Patch Level 5
4.0.11 Patch Level 5
4.0.10 Patch Level 6
4.0.9 Patch Level 6
4.0.8 Patch Level 8
Workaround It is not possible to workaround this vulnerability. A successful exploit is still possible even while VaultWiki is disabled in your site's Add-On/Product Manager.
NotesThis vulnerability allowed attackers to potentially read the contents of any file that was readable by your PHP user. After patching, please ensure that any other sensitive data that may be stored on your file system is secure. Some example measures include:
- Change the MySQL password for your installation.
- If using vBulletin, and your forum is configured to cache the datastore as files (see includes/config.php), then change the SMTP password for your forum's SMTP sender address.
- If your site uses SSL, regenerate your private key and certificates.
Sub-Categories of VWE-2016-3063