Issue List
VWE-2021-6131 is a Subscription Management issue, where the wrong user may receive a notification when a moderator takes action against a user's wiki content. The issue affects all versions of the VaultWiki 4.x series.VWE-2021-6136 is a Data Loss issue, where when renaming content, a user can unintentionally change all synonyms attached to that content into double redirects. The issue affects VaultWiki 4.0.16 and higher.
VWE-2021-6139 is a Permissions Escalation issue, where when renaming content, the rename is completed without a valid synonym, even if the user does not have permission to rename without generating a synonym. The issue affects VaultWiki 4.0.16 and higher.
VWE-2021-6145 is a Permissions Escalation issue, by which a user who can move content to another area can also send it to the approval queue, even though the user does not have permission to moderate content. The issue affects VaultWiki 4.1.0 RC 2 and higher.
VWE-2021-6148 is a Data Loss issue, where deferred tasks containing a reference to triggering content can fail to queue due to custom field assignments or unencoded IP data, resulting in data denormalization, orphaned content, and other effects. The issue affects VaultWiki 4.1.0 RC 2 and higher.
Patches
The following patches address the aforementioned issues:- 4.1.2 Patch Level 1
- 4.1.1 Patch Level 6
- 4.1.0 Patch Level 8