VWE-2017-4287
Return to current revision
Current Revision
April 8, 2018, 11:24 PM
Differences in Content
-
[template]Vulnerability
| cve=
| aka=
| severity=High
| difficulty=Normal -
-
| description=Denial of Service. Due to a flaw in the integration system, users with certain permissions may be able to replace certain forum nodes with fatal errors. Does not affect VaultWiki Lite. -
+
| description=Denial of Service. Due to a flaw in the integration system, users with certain permissions may be able to replace certain forum nodes with fatal errors.
| lite=no -
| discover-date=November 19, 2017
| patch-date=December 1, 2017
| patches=4.0.20 Patch Level 1
4.0.19 Patch Level 4
4.0.18 Patch Level 5
4.0.17 Patch Level 7
4.0.16 Patch Level 8
4.0.15 Patch Level 12
| workaround=In the Wiki Admin Panel, go to Content > Integration, and delete all forum integrations (disabling will not work).[/template]
[h=3]Notes[/h]
The patch will not correct existing fatal errors; this would require a full upgrade when the next version is released. For forums that were already replaced with fatal errors, run the following MySQL query (replacing "AFFECTED_FORUM_ID" with the appropriate number):
[code]DELETE vw_integrate
FROM vw_integrate AS vw_integrate
LEFT JOIN vw_nodetype AS vw_nodetype ON (vw_nodetype.id = vw_integrate.itemtypeid)
WHERE vw_nodetype.accesskey = 'Page'
AND vw_integrate.nodeid = AFFECTED_FORUM_ID[/code]