VWE-2018-4673
Return to current revision
Current Revision
October 8, 2018, 1:58 PM
Differences in Content
-
[template]Vulnerability
| cve=
| aka=
| severity=High
| difficulty=Easy
| description=GDPR. Some data retention policies may be in conflict with VaultWiki's handling of IP addresses if those policies were written without consulting VaultWiki support.
| platform=XF
| lite=
| issueid=
| discover-date=October 6, 2018
| patch-date=October 8, 2018
| patches=4.0.24 Patch Level 1
4.0.23 Patch Level 3
4.0.22 Patch Level 5
4.0.21 Patch Level 6
4.0.20 Patch Level 9
| workaround=
[/template]
[H="3"]Notes[/H]
This issue is resolved by making VaultWiki's IP retention more consistent with related XenForo admin options. After patching, IPs should be cleaned automatically at XenForo's next scheduled IP prune task.
This is not considered to be an issue for XenForo sites that have IP pruning disabled, nor for vBulletin sites which do not have an option to prune IPs; in these cases, VaultWiki assumes that IPs are retained indefinitely. However, you may way wish to review whether your site's privacy policy states this and update it as appropriate.
If you use a custom or third-party solution to clean IPs, especially for vBulletin sites, you should contact VaultWiki support for advice on how to include its data in your cleaner.