VWE-2017-3687 Viewing Source [template]Vulnerability | cve= | aka= | severity=High | difficulty=Hard | description=CAN-SPAM Non-compliance. Email subscriptions imported into VaultWiki from another installation of VaultWiki 4 do not handle unsubscribe links sent from the source wiki within the past 30 days. | lite=no | discover-date=March 1, 2017 | patch-date=March 30, 2017 | patches=4.0.17 Patch Level 1 4.0.16 Patch Level 2 4.0.15 Patch Level 6 4.0.14 Patch Level 9 4.0.13 Patch Level 9 4.0.12 Patch Level 10 4.0.11 Patch Level 10 4.0.10 Patch Level 11 | workaround=Use a MySQL query to downgrade all subscriptions from email alerts to on-site alerts: [code]UPDATE vw_subscribe SET notifytype = 0[/code][/template] [H="3"]Notes[/H] The prior behavior of non-compliance was consistent with the non-compliant behavior of vBulletin's and XenForo's own importers, which likewise import subscriptions without being able to process old unsubscribe links (sent within 30 days). Other add-ons that include importer functions may also be non-compliant. While unrelated to VaultWiki, if you are using other importers, such as when importing entire forums, it is recommended that you downgrade all imported subscriptions in a similar fashion in order to keep your site compliant and avoid fines. Please contact your various software vendors for the appropriate queries in order to turn off email notifications for all imported content (threads, forums, social groups, albums, resources, and so on). The issue did not affect other import sources such as MediaWiki or VaultWiki 3, due to a bug in those importers that incorrectly treated all subscriptions as non-email subscriptions. Patches for this issue downgrade incoming email subscriptions to on-site alerts for new imports. Users will receive a final email notification for each subscription that is affected by this change. For example: [quote]Dear pegasus, Due to recent changes to our subscription system at VaultWiki - Wiki for Forum Communities, email notifications for a Page you were watching called "Demo" have been deactivated. The original Page is here: [url]https://www.vaultwiki.org/demo/[/url] If you wish to continue receiving email notifications for this Page, you can reactivate them here: [url]https://www.vaultwiki.org/demo/?do=watch[/url] If you no longer wish to receive email notifications, you do not need to take any action. This is the final email you will receive for this subscription. Thanks from the staff, VaultWiki - Wiki for Forum Communities [url]https://www.vaultwiki.org/[/url] ~~~~~~~~ Unsubscription information: This email is intended to notify you that you have been unsubscribed from email notifications automatically by our system. However, you are still watching the Page on our web site. You can manage your subscription here: [url]https://www.vaultwiki.org/demo/?do=watch[/url][/quote] 2,900 characters