For a list of changes in this release, please see Changelog for 4.1.0 Beta 1. If you are a style or language pack maintainer, please check here for changes which may affect you.
Resolved Security Issues
Since alpha and beta versions are not subject to the same patching policy as stable versions, the following issues are patched in this release of the 4.1.x branch version, 4.1.0 Beta 1, in addition to any relevant issues that were already patched on the stable branch.VWE-2019-5150 is a Permissions Escalation, where users can post new wiki content regardless of permissions, as long as the user can create normal wiki pages and he knows the proper editor URL for the desired content-type.
VWE-2019-5151 is a Subscription Management issue, where the page that lists all of a user's subscriptions and the page containing the user's wiki subscription preferences do not successfully render. The issue affects vBulletin only.
VWE-2019-5157 is a Permissions Escalation issue, where users can view the index's feed list even if they are not permitted to view the index.
VWE-2019-5159 is a Permissions Escalation issue, where users can view index-scoped widgets via the sidebar-type WIDGET BB-Code, as long as they have global permissions to view the same widget.
VWE-2019-5160 is a Permissions Escalation issue, where users can create, open, or close discussion topics on the index, as long as they have global permissions to perform the action.
VWE-2019-5161 is a Permissions Escalation issue, where users can view moderated attachments on index comments, as long as they have global permissions to view moderated attachments. The issue affects vBulletin 4.x only.
VWE-2019-5162 is a Permissions Escalation issue, where users can view a poster's IP address for discussions, comments, edits, and last-updates related to the index, as long as they have global permissions to view IP addresses.
VWE-2019-5163 is a Permissions Escalation issue, where users can view moderated discussions, comments, and edits related to the index, as long as they have global permissions to view the same.