Additionally, using a variation of this vulnerability, non-moderated editors might be able to execute otherwise un-permitted changes under XenForo platforms.
To be clear: this is a security vulnerability, since it compromises the wiki moderation process, circumvents desired permissions, and can result in unwanted content or potentially malicious changes on your wiki.
To resolve this issue, we have published the following Patch Level releases:
- 4.0.1 Patch Level 1
- 4.0.0 Patch Level 1
- 4.0.0 RC 5 Patch Level 1
- 4.0.0 RC 4 Patch Level 2
- 4.0.0 RC 3 Patch Level 3
- 4.0.0 RC 2 Patch Level 3
- 4.0.0 RC 1 Patch Level 3
We highly recommend that all users running VaultWiki 4.x in a production environment upgrade to a patched release as soon as possible.
This vulnerability affects all supported versions of VaultWiki 4.x, as well as VaultWiki 3.x, but not VaultWiki Lite.
Details
This vulnerability can be executed by any user whose wiki edits would be sent to the moderation queue for approval.Under XenForo, this vulnerability can be executed by any user who has permission to make edits, whether those edits require approval or not.
Alternative Mitigation
The only means of resolving this issue on XenForo platforms is to update to a patched release.vBulletin administrators can close this vulnerability without updating to a patched release by removing permission to edit wiki articles from groups and users whose edits are also moderated.
Since VaultWiki 3.x has already reached its End-of-Life, a patch for that series has not been issued. If you are still running VaultWiki 3.x and you believe the issue details apply to your installation, the only remedies at this time are to update to a patched version or remove permission per the previous paragraph.
Oops!