The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2017-3979 Related Report #5026 Severity HIGH Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Decompression Bomb. Does not affect Lite versions.
Discovered Related issue: April 28, 2017
Proof of concept: August 9, 2017
Resolved September 13, 2017 Patches Available 4.0.19 Patch Level 1
4.0.18 Patch Level 2
4.0.17 Patch Level 4
4.0.16 Patch Level 5
4.0.15 Patch Level 9
4.0.14 Patch Level 12
Workaround For versions 4.0.14 and later, perform the following:
After applying a patch, restore these settings to reactivate uploads and proxying.
- Set Options > VaultWiki: Content Types > Maximum Disk Usage for All Attachments (MB) = 0. This will reject all new uploads.
- Set Options > VaultWiki: Miscellaneous > Maximum Disk Usage for All Proxy Images (MB) = 0. This will disable the external image proxy.
There is no workaround for versions 4.0.13 and earlier. They are no longer supported; update to a more recent version and perform the steps above.
Categories: XSS:4.0.0 Alpha 1, XSS:4.0.0 Alpha 2, XSS:4.0.0 Alpha 3, XSS:4.0.0 Alpha 4, XSS:4.0.0 Alpha 5, XSS:4.0.0 Alpha 6, XSS:4.0.0 Alpha 7, XSS:4.0.0 Beta 1, XSS:4.0.0 Beta 2, XSS:4.0.0 Beta 3, XSS:4.0.0 Beta 4, XSS:4.0.0 Beta 5, XSS:4.0.0 Beta 6, XSS:4.0.0 Beta 7, XSS:4.0.0 Gamma 1, XSS:4.0.0 Gamma 2, XSS:4.0.0 Gamma 3, XSS:4.0.0 Gamma 4, XSS:4.0.0 Gamma 5, XSS:4.0.0 Gamma 6, XSS:4.0.0 Gamma 7, XSS:4.0.0 Patch Level 1, XSS:4.0.0 Patch Level 2, XSS:4.0.0 Patch Level 3, XSS:4.0.0 Patch Level 4, More…