VWE-2017-3682
Return to current revision
Current Revision
April 8, 2018, 11:33 PM
Differences in Content
-
[template]Vulnerability
| cve=
| aka=
| severity=High
| difficulty=Hard -
-
| description=CAN-SPAM Non-compliance. Some wiki subscriptions imported from another installation running VaultWiki 4.0.16+ would send emails with invalid unsubscribe links. Does not affect Lite versions, but imports from Lite versions may be affected. -
+
| description=CAN-SPAM Non-compliance. Some wiki subscriptions imported from another installation running VaultWiki 4.0.16+ would send emails with invalid unsubscribe links.
| lite=no -
| discover-date=March 15, 2017
| patch-date=March 30, 2017
| patches=4.0.17 Patch Level 1
4.0.16 Patch Level 2
4.0.15 Patch Level 6
4.0.14 Patch Level 9
4.0.13 Patch Level 9
4.0.12 Patch Level 10
4.0.11 Patch Level 10
4.0.10 Patch Level 11
| workaround=In 4.0.17, use the provided inline moderation controls to unsubscribe all users from any content that was imported from VaultWiki 4.0.16+, or use the following MySQL queries to unsubscribe all users from all content:
[code]TRUNCATE TABLE vw_subscribe;
TRUNCATE TABLE vw_subscribelog;
UPDATE vw_usercount SET vw_subscribed = 0;[/code][/template]
[h=3]Notes[/h]
The patches prevent new imports from generating invalid unsubscribe links in future emails. For already-affected imports, use one of the provided workarounds.