Issue List
VWE-2021-6355 is a Phishing issue, where user-positioned elements are not restricted within the relevant position's container when viewing previous page revisions. The issue affects VaultWiki 4.0.18 and higher, as well as patches for VWE-2017-3734.VWE-2021-6363 is a Permissions Escalation issue, where a user can use a specially-crafted form submission to save more than the maximum allowed number of attachments per wiki comment. The issue affects all versions of the VaultWiki 4.x series.*
VWE-2021-6358 is a Denial of Service issue, where the entire wiki remains disabled after an administrator performs changes that trigger certain rebuild tasks. The issue affects VaultWiki 4.1.3 and higher.
VWE-2021-6359 is a Denial of Service issue, where the entire wiki remains disabled after an administrator changes the option Force URLs to Lower-Case. The issue affects all prior versions of the VaultWiki 4.1.x series.
VWE-2021-6364 is a Permissions Escalation issue, where a user can associate an attachment to comments even though permission to add attachments has been revoked since the user uploaded the attachment.*
* Please be aware that variations of these same issues also affect basic content-types on stock installations of both vBulletin and XenForo.
Additionally, some improvements have been made regarding changes from some prior 2021 patches, where certain functionality had been adversely affected by the earlier patch.
Patches
The following patches address the aforementioned issues:- 4.1.3 Patch Level 2
- 4.1.2 Patch Level 5