VWE-2017-3978 Viewing Source [template]Vulnerability | cve= | aka= | severity=Extreme | difficulty=Hard | description=Remote Code Execution. When importing from VaultWiki 3 or 4 and using the undocumented $api_path capability: if the DNS is compromised, or if the remote server is compromised, the compromised server may be able to execute commands against the server running VaultWiki. | lite=no | discover-date=August 9, 2017 | patch-date=September 13, 2017 | patches=4.0.19 Patch Level 1 4.0.18 Patch Level 2 4.0.17 Patch Level 4 4.0.16 Patch Level 5 4.0.15 Patch Level 9 4.0.14 Patch Level 12 | workaround=Patches are not ready yet. Do not use $api_path for imports.[/template] 667 characters