Issue List
VWE-2019-5193 is an HTML/Javascript injection issue, where by leveraging XHR requests, users may be able to embed new HTML in the requested page or save content that is rendered as HTML, without appropriate permission. It affects 4.0.0 Gamma 6 and higher.VWE-2019-5261 is a Subscription Management issue, where imported subscriptions don't flag the correct user as having active subscriptions. While subscriptions are disabled globally, those users could be unable to manage their imported subscriptions if they don't have non-imported subscriptions too. It affects 4.0.0 Gamma 7 and higher.
Patches
As of June 7, 2019, the following patches address the aforementioned issues:- 4.0.26 Patch Level 1
- 4.0.25 Patch Level 3
- 4.0.24 Patch Level 5
- 4.0.23 Patch Level 7*
* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues are patched in a new build of the current 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues listed above.VWE-2019-5241 is a Permissions Escalation issue, where users can view the output of certain sidebar-type WIDGET BB-Codes without permission, as long as they have permission to view output of a specific other sidebar-type widget, which varies from case to case. The issue affects XenForo 2.x only.
VWE-2019-5244 is a Denial of Service issue, where by exploiting a bug while renaming content, malicious users can disappear pages completely. The issue affects XenForo 2.x only.
VWE-2019-5266 is a Permissions Escalation issue, by which a user can use specially crafted BB-Codes and template parameters to circumvent area parser settings. The issue affects XenForo 2.x only.
VWE-2019-5268 is a Subscription Management issue, where user requests to mass disable all email notifications for wiki subscriptions or to empty entire wiki subscription folders will not completely successfully.