Issue List
VWE-2020-5603 is a Permissions escalation issue, where by leveraging nested templates, a user can alter the permissions of a containing template to that of a contained template. The issue affects 4.0.0 RC and higher, on vBulletin-based platforms only.VWE-2020-5604 is a Denial of service issue, where by leveraging specially-crafted templates, a user can bypass template usage limits and create a situation where a page cannot finish parsing before server processes time out. The issue affects all versions of VaultWiki 2.x, 3.x, and 4.x series.
VWE-2020-5622 is a Permissions escalation issue, where moderators are able to action reports for index-related content they can't manage, as long as they have global management permissions. The issue affects VaultWiki 4.1.0 Alpha 1 and higher.
VWE-2020-5623 is a Permissions escalation issue, where content lists might contain content from areas that the user does not have permission to view. The issue affected VaultWiki 4.1.0 RC 1 build 001 only.
VWE-2020-5631 is a Permissions escalation issue, where users can create feeds in areas that can't contain feeds. The issue affects VaultWiki 4.0.0 and higher.
VWE-2020-5636 is a Permissions escalation issue, where users can create content they don't have permission to create, as long as they attempt to create it as part of the same request that allowed them to create different content. The issue affects VaultWiki 4.0.0 Alpha 1 and higher.
Patches
The following patches address the aforementioned issues:- 4.1.0 RC 1 Patch Level 1
- 4.0.28 Patch Level 1
- 4.0.27 Patch Level 4
- 4.0.26 Patch Level 6