The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2017-3687 Related Report None Severity HIGH Exploit Difficulty Difficult Platform Affects all platforms supported by the vulnerable versions. Description CAN-SPAM Non-compliance. Email subscriptions imported into VaultWiki from another installation of VaultWiki 4 do not handle unsubscribe links sent from the source wiki within the past 30 days. Does not affect Lite versions.
Discovered March 1, 2017 Resolved March 30, 2017 Patches Available 4.0.17 Patch Level 1
4.0.16 Patch Level 2
4.0.15 Patch Level 6
4.0.14 Patch Level 9
4.0.13 Patch Level 9
4.0.12 Patch Level 10
4.0.11 Patch Level 10
4.0.10 Patch Level 11Workaround Use a MySQL query to downgrade all subscriptions from email alerts to on-site alerts:
Code:UPDATE vw_subscribe
SET notifytype = 0Notes
The prior behavior of non-compliance was consistent with the non-compliant behavior of vBulletin's and XenForo's own importers, which likewise import subscriptions without being able to process old unsubscribe links (sent within 30 days). Other add-ons that include importer functions may also be non-compliant. While unrelated to VaultWiki, if you are using other importers, such as when importing entire forums, it is recommended that you downgrade all imported subscriptions in a similar fashion in order to keep your site compliant and avoid fines. Please contact your various software vendors for the appropriate queries in order to turn off email notifications for all imported content (threads, forums, social groups, albums, resources, and so on).
The issue did not affect other import sources such as MediaWiki or VaultWiki 3, due to a bug in those importers that incorrectly treated all subscriptions as non-email subscriptions.
Patches for this issue downgrade incoming email subscriptions to on-site alerts for new imports. Users will receive a final email notification for each subscription that is affected by this change. For example:
Dear pegasus,
Due to recent changes to our subscription system at VaultWiki - Wiki for Forum Communities, email notifications for a Page you were watching called "Demo" have been deactivated. The original Page is here: https://www.vaultwiki.org/demo/
If you wish to continue receiving email notifications for this Page, you can reactivate them here:
https://www.vaultwiki.org/demo/?do=watch
If you no longer wish to receive email notifications, you do not need to take any action. This is the final email you will receive for this subscription.
Thanks from the staff,
VaultWiki - Wiki for Forum Communities
https://www.vaultwiki.org/
~~~~~~~~
Unsubscription information:
This email is intended to notify you that you have been unsubscribed from email notifications automatically by our system. However, you are still watching the Page on our web site. You can manage your subscription here:
https://www.vaultwiki.org/demo/?do=watch
Sub-Categories of VWE-2017-3687
-
#
-
# (cont.)
-
# (cont.)