The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2018-4673 Related Report None Severity HIGH Exploit Difficulty EASY Platform XenForo Description GDPR. Some data retention policies may be in conflict with VaultWiki's handling of IP addresses if those policies were written without consulting VaultWiki support.
Discovered October 6, 2018 Resolved October 8, 2018 Patches Available 4.0.24 Patch Level 1
4.0.23 Patch Level 3
4.0.22 Patch Level 5
4.0.21 Patch Level 6
4.0.20 Patch Level 9Notes
This issue is resolved by making VaultWiki's IP retention more consistent with related XenForo admin options. After patching, IPs should be cleaned automatically at XenForo's next scheduled IP prune task.
This is not considered to be an issue for XenForo sites that have IP pruning disabled, nor for vBulletin sites which do not have an option to prune IPs; in these cases, VaultWiki assumes that IPs are retained indefinitely. However, you may way wish to review whether your site's privacy policy states this and update it as appropriate.
If you use a custom or third-party solution to clean IPs, especially for vBulletin sites, you should contact VaultWiki support for advice on how to include its data in your cleaner.
This page has been seen 332,967 times.
-
-
Created by on
-