Issue List
VWE-2019-5425 is a Permissions escalation, where users can view the output of embedded templates that were soft-deleted or rejected, even if they don't have staff permissions, as long as the page where the template was embedded was cached when viewed by another user who had the appropriate permission. The issue affects all versions of the VaultWiki 4.x series.Patches
The following patches address the aforementioned issues:- 4.0.27 Patch Level 2
- 4.0.26 Patch Level 4
- 4.0.25 Patch Level 6
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the issue listed above is patched in a new build in the 4.1.x branch, 4.1.0 Beta 4 build 005. In addition, the following issue is known to have affected a prior build. To stay protected, please make sure you are running the latest build of the beta.VWE-2019-5416 is a Permissions escalation, where wiki page contents are rendered using the viewing user's parser-related permissions for wiki comments that they post, rather than the appropriate parser-related area settings for wiki pages. The issue affects early downloads of 4.1.0 Beta 4 build 001 only, and only on vBulletin 4.x platforms. Users already running a later build or using VaultWiki on a different platform are not affected by this issue.