Issue List
VWE-2020-5875 is a Permissions Escalation issue, whereby if there is an existing upload a user and others don't have permission to view, the user can create a duplicate of that upload in an area where they do have permission, if the user can guess the file's hash. The issue affects all versions of VaultWiki 4.x series.VWE-2020-5930 is a Permissions Escalation issue, where by leveraging template inclusions, for a template that contains media-related BB-Codes in an area that disallows such tags, these tags might might parsed within the context of a different area that does allow them. The issue affects VaultWiki 4.0.9 and higher.
VWE-2020-5937 is a Permissions Escalation issue, where by leveraging page-level whitelists, a lower-level user could revoke an administrator's or moderator's permission to modify affected pages. The issue affects VaultWiki 4.1.0 Beta 2 and higher.
Patches
The following patches address the aforementioned issues:- 4.1.0 Patch Level 1
- 4.1.0 RC 3 Patch Level 3
- 4.1.0 RC 2 Patch Level 4
- 4.1.0 RC 1 Patch Level 5
- 4.0.28 Patch Level 5