Issue List
VWE-2019-5452 is a Subscription Management issue, where using the admin option to delete all wiki subscriptions for a user may not delete any. The issue affects 4.0.17 and higher, on XenForo 1.x platforms only.VWE-2019-5453 is a Permissions Escalation issue, where wiki social groups are visible to non-group-members via the WIDGET BB-Code, even though the social group is setup to only permit member viewing. The issue affects 4.0.9 and higher, as well as patches for VWE-2016-2064, on vBulletin platforms only.
VWE-2020-5454 is a Permissions Escalation issue, where meta descriptions and summary snippets of wiki pages may include privileged or user-specific content based on the user who generated the description, rather than the user who is currently viewing it. The issue affects 4.0.0 Alpha 1 and higher.
Patches
The following patches address the aforementioned issues:- 4.0.27 Patch Level 3
- 4.0.26 Patch Level 5
- 4.0.25 Patch Level 7*
* A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.
4.1.x Issues
Since beta versions are not subject to the same patching policy as stable versions, the following issues will be patched in a future release of the 4.1.x branch, in addition to any relevant issues listed above.VWE-2019-5463 is a Denial of Service Amplification issue, where content updates that affect a large number of feeds may take an infinite number of deferred requests to apply those updates. Until a patch is available, you may wish to use permissions to prevent non-admin users from adding entries to feeds.