As of August 27, 2018, the regularly scheduled security patches for August are now available.
Issue List
VWE-2018-4625 is a Denial of Service Amplification issue, by which a distributed attack that posts comments to a single wiki discussion may be able to achieve denial of service, due to a flaw in the quick reply handler. Under vBulletin, the issue affects all prior versions of VaultWiki 4.x series. Under XenForo 1.x, the issue affects VaultWiki 4.0.0 Beta 7 and higher.
VWE-2018-4626 is a Data Loss issue, where some database keys may not be successfully created. The issue affects the July 2018 patches.
VWE-2018-4627 is a Data Loss issue, where the patches for
VWE-2017-4033 do not successfully prevent accidental deletion of the wiki index or wiki areas and all contents, if not careful when using the Mass Delete function. The issue affects VaultWiki 4.0.18 and higher, but it does not affect Lite versions.
VWE-2018-4630 is a Permissions Escalation issue, where if a user has permission to view a wiki node, that user can view an RSS feed which contains a list of its contents, even though the user does not have permission to view a list of the node's contents. The issue affects VaultWiki 4.0.0 Alpha 6 and higher.
VWE-2018-4631 is a Data Loss issue, where when editing an existing integration, the already-injected content may not be selected. If the integration is saved without re-selecting the content, the existing integration would be removed. The issue affects VaultWiki 4.0.23 and higher, but it does not affect Lite versions.
VWE-2018-4632 is a Permissions Escalation issue, where a fatal error after re-parenting an area may prevent area permissions from being inherited correctly. The issue affects VaultWiki 4.0.21 and higher, but it does not affect Lite versions.
Patches
The following patches, issued August 27, 2018, address the aforementioned issues:
- 4.0.23 Patch Level 2
- 4.0.22 Patch Level 4
- 4.0.21 Patch Level 5
- 4.0.20 Patch Level 8
- 4.0.19 Patch Level 11*
*A patch was issued for 4.0.19 even though it reached its end of life earlier this August, because at least one of the issues resolved by the patch was discovered prior to its end-of-life. However, we recommend that users upgrade to a more recent patched version.
We highly recommend that all users running VaultWiki in a production environment update to a patched release.