As of March 5, security patches for March 2022 are now available.

Issue List

VWE-2022-6401 is an HTML Injection issue, where a flaw in the cropping of overly-long WIKI BB-Code content may allow a malicious user to modify the expected contents of HTML blocks outside of the intended user-generated content locations. The issue affects VaultWiki 4.1.0 Beta 4 and higher.

VWE-2022-6406 is a Data Loss issue, where uploading an update to an existing wiki attachment, while attachment history is disabled, can result in an attachment with no file data. The issue affects VaultWiki 4.1.1 and higher.

VWE-2022-6411 is a Data Loss issue, where some database updates that are triggered by CLI-based cron jobs are never applied to the database. The issue affects VaultWiki 4.1.0 Alpha 1 and higher, on XenForo 2.x platforms only.

Patches

The following patches address the aforementioned issues:

• 4.1.4 Patch Level 1
• 4.1.3 Patch Level 3
• 4.1.2 Patch Level 6

Notes

Due to the potential data loss in unpatched installations, we highly recommend that all users running VaultWiki in a production environment update to a patched release as soon as practicable.

VaultWiki 4.1.4 is now available for licensed customers. This version is a maintenance release with roughly 20 bug fixes.

XenForo 2.2.8 Compatibility

VaultWiki 4.1.4 is the first release to be compatible with XenForo 2.2.8 and higher. XenForo 2.2.8 had updated the editor to a new major version of FroalaEditor (from v3 to v4). Most notably, the update required changes to the timing of VaultWiki's various Javascript plugins in order to prevent errors both in wiki and regular forum editors.

If you are already running XenForo 2.2.8 with an earlier version of VaultWiki, we strongly recommend that you update to 4.1.4 as soon as you are able in order to resolve these editor issues.

As of January 1, security patches for January 2022 are now available.

Issue List

VWE-2021-6355 is a Phishing issue, where user-positioned elements are not restricted within the relevant position's container when viewing previous page revisions. The issue affects VaultWiki 4.0.18 and higher, as well as patches for VWE-2017-3734.

VWE-2021-6363 is a Permissions Escalation issue, where a user can use a specially-crafted form submission to save more than the maximum allowed number of attachments per wiki comment. The issue affects all versions of the VaultWiki 4.x series.*

VWE-2021-6358 is a Denial of Service issue, where the entire wiki remains disabled after an administrator performs changes that trigger certain rebuild tasks. The issue affects VaultWiki 4.1.3 and higher.

VWE-2021-6359 is a Denial of Service issue, where the entire wiki remains disabled after an administrator changes the option Force URLs to Lower-Case. The issue affects all prior versions of the VaultWiki 4.1.x series.

VWE-2021-6364 is a Permissions Escalation issue, where a user can associate an attachment to comments even though permission to add attachments has been revoked since the user uploaded the attachment.*

* Please be aware that variations of these same issues also affect basic content-types on stock installations of both vBulletin and XenForo.

Additionally, some improvements have been made regarding changes from some prior 2021 patches, where certain functionality had been adversely affected by the earlier patch.

Patches

The following patches address the aforementioned issues:

• 4.1.3 Patch Level 2
• 4.1.2 Patch Level 5

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.

As of December 1, security patches for December 2021 are now available.

Issue List

VWE-2021-6267 is a Denial of Service issue, where a user can cause any page showing BB-Code content to render as a fatal error by leveraging a flaw in the WIDGET BB-Code. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6343 is a Denial of Service issue, where a user can cause any page showing BB-Code content to render as a fatal error by leveraging a flaw in the WIDGET BB-Code's forum and thread renderers. The issue affects the VaultWiki 4.1.x series on XenForo 2.x platforms only.

VWE-2021-6347 is a Permissions Escalation issue, where a user can circumvent the maximum allowed file size for an attachment by uploading a specially-crafted image file in excess of the maximum allowed dimensions. The issue affects all versions of the VaultWiki 4.x series, but the effect is worst in VaultWiki 4.0.20 and higher, as well as patches for VWE-2017-4030.

Patches

The following patches address the aforementioned issues:

• 4.1.3 Patch Level 1
• 4.1.2 Patch Level 4
• 4.1.1 Patch Level 9*

*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.

Notes

We recommend that all users running VaultWiki in a production environment update to a patched release.

VaultWiki 4.1.3 is now available for licensed customers. This version is a maintenance release with roughly 150 bug fixes and style tweaks.

VaultWiki 4.1.3 adds support for wiki attachments to set the WEBP extension as an image type, if PHP has been compiled with WEBP support. In addition, if support is available, WEBP will be the preferred format for image thumbnails.

For a list of more changes in this release, please see Changelog for 4.1.3. If you are a style or language pack maintainer, please check here for changes which may affect you.

As of October 25, security patches for October 2021 are now available.

Issue List

VWE-2021-6236 is a Permissions escalation issue, where a user can view the title of content they have no permission to view by reading the profile of a user whose last wiki activity involved that content.

VWE-2021-6237 is a Permissions escalation issue, where a guest can view the wiki's cached last update even if permissions have changed in the past 5 minutes so that the guest can no longer view that update. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6238 is a Permissions escalation issue, where after certain updates to permissions that do not target a specific row by ID, affected users can still view some cached content, even if the update changed their permissions so that they would not be permitted to view that content. The issue affects all versions of the VaultWiki 4.x series.

VWE-2021-6239 is a Permissions escalation issue, where the VaultWiki 3 importer grants custom moderator permissions to the wrong target moderator. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6247 is a Denial of Service issue, where a user can force an existing wiki attachment to become inaccessible by editing it and uploading a new version. The issue affects all versions of the VaultWiki 4.1.x series, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6249 is a Legal issue, where PNG metadata from XMP profiles are not preserved. Some countries require web sites to preserve XMP metadata. The issue affects VaultWiki 4.0.20 and higher, as well as patches for VWE-2017-4030, except Lite versions.

VWE-2021-6251 is a Denial of Service issue, where a user can force an existing wiki content to become inaccessible by renaming the content, if there is not another content of the same type with an ID matching the renamed content's route ID. The issue affects VaultWiki 4.1.1 Patch Level 2 and higher, except on XenForo 2.x platforms.

VWE-2021-6252 is a Denial of Service amplification issue, where a distributed attack can consume available MySQL connections by submitting extremely high amounts of choices to a bulk chooser's submission script, because the number of choices is not limited prior to querying MySQL. This occurs due to a lack of completeness in the patches for VWE-2016-2034. The issue affects those VaultWiki patches and higher versions.

VWE-2021-6253 is a Denial of Service issue, where a user can leverage fatal errors in the TEMPLATE BB-Code to force any wiki page using certain templates to resolve as a fatal error. The issue affects VaultWiki 4.0.4 and higher, except Lite versions.

VWE-2021-6254 is a Permissions Escalation issue, where a user can view a partial list of a wiki area's feeds by viewing the Recent Feed Updates widget for that area, even though the user does not have permission to view a list of the area's contents. The issue affects VaultWiki 4.0.0 and higher.

VWE-2021-6255 is a Denial of Service issue, where the entire wiki remains disabled after an administrator uses the Rebuild Content URLs tool. The issue affects all versions of the VaultWiki 4.1.x series, on vBulletin-based platforms only.

VWE-2021-6256 is a Permissions Escalation issue, where a user can change the target of a synonym without having permission to edit synonyms. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6257 is a Permissions Escalation issue, where a user can rename a synonym without having permission to rename synonyms. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6258 is a Permissions Escalation issue, where a user can set a synonym's title to a value that appears on the Disallowed Titles list. The issue affects all versions of the VaultWiki 4.x series, except Lite versions.

VWE-2021-6259 is a Denial of Service amplification issue, where a distributed attack by malicious editors can consume all memory allocated to PHP by leveraging massive numbers of template inclusions within complex template fields and saving the affected pages simultaneously. The issue affects VaultWiki 4.1.0 RC 2 and higher, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6260 is a Permissions Escalation issue, where a custom field that parses BB-Code will render based on the template expansion rules for the maximum wiki page length rather than the maximum field length. The issue affects VaultWiki 4.1.0 RC 2 and higher, on XenForo 2.x platforms only, except Lite versions.

VWE-2021-6261 is a Permissions Escalation issue and occasionally a Data Loss issue, where installer fails to create a new moderator group, forcing administrators to choose an existing usergroup. Choosing an existing group risks permissions escalation and possible locked accounts, because users are added and dropped from the moderator group depending on the user's browsing context. For forums with large numbers of users, this can lead to data loss, because recovering the user's original usergroup assignments would require restoring the database from a backup. The issue affects all versions of the VaultWiki 4.1.x series, except XenForo 2.x platforms.

• Administrators who believe their forum is in this situation should backup their database and reach out for special instructions on changing their moderator group safely, as the patch only restores the ability to create a new usergroup during installation. For new moderators created after version 4.1.3, VaultWiki will additionally attempt to track whether users were already in a usergroup before becoming a moderator to help avoid this problem.

Patches

The following patches address the aforementioned issues:

• 4.1.2 Patch Level 3
• 4.1.1 Patch Level 8

Notes

We strongly recommend that all customers running VaultWiki in a production environment update to a patched release.