Issue List
VWE-2021-6267 is a Denial of Service issue, where a user can cause any page showing BB-Code content to render as a fatal error by leveraging a flaw in the WIDGET BB-Code. The issue affects all versions of the VaultWiki 4.x series.VWE-2021-6343 is a Denial of Service issue, where a user can cause any page showing BB-Code content to render as a fatal error by leveraging a flaw in the WIDGET BB-Code's forum and thread renderers. The issue affects the VaultWiki 4.1.x series on XenForo 2.x platforms only.
VWE-2021-6347 is a Permissions Escalation issue, where a user can circumvent the maximum allowed file size for an attachment by uploading a specially-crafted image file in excess of the maximum allowed dimensions. The issue affects all versions of the VaultWiki 4.x series, but the effect is worst in VaultWiki 4.0.20 and higher, as well as patches for VWE-2017-4030.
Patches
The following patches address the aforementioned issues:- 4.1.3 Patch Level 1
- 4.1.2 Patch Level 4
- 4.1.1 Patch Level 9*
*A patch was issued for this version even though it reached its end-of-life before the patch date, because at least one of the addressed issues was identified prior to its end-of-life. However, we recommend that users update to a more recent patched version.