Issue List
VWE-2020-5643 is a Subscription Management issue, where alerts for likes or reactions of content the user contributed to are sent even if that user is not opted-in to that alert. The issue affects XenForo 2.x-based platforms only.VWE-2020-5645 is a Local File Inclusion issue, whereby a malicious attacker can load VaultWiki PHP files into memory outside of the intended execution pattern for those files. However, the attacker receives a fatal error when doing so. The issue affects all versions of VaultWiki 4.x series.
VWE-2020-5727 is an HTML Injection issue, where unescaped HTML can appear in keywords, description, and other META elements. The issue affects all versions of VaultWiki 4.x series.
VWE-2020-5774 is a Permissions Escalation issue, by which users can leverage assignment form filters to retrieve a list of containers they don't have permission to view, as long as they have permission to view the container's area's content list. The issue affects all versions of VaultWiki 4.x series.
Patches
The following patches address the aforementioned issues:- 4.1.0 RC 2 Patch Level 1
- 4.1.0 RC 1 Patch Level 2
- 4.0.28 Patch Level 2
- 4.0.27 Patch Level 5
- 4.0.26 Patch Level 7