VWE-2017-3686
Return to current revision
Current Revision
April 8, 2018, 11:32 PM
Differences in Content
-
[template]Vulnerability
| cve=
| aka=
| severity=Low
| difficulty=Normal -
-
| description=Permissions escalation. Users who can delete wiki content can remove page behaviors even though new wiki content and edits they make require moderation. Does not affect Lite versions. -
+
| description=Permissions escalation. Users who can delete wiki content can remove page behaviors even though new wiki content and edits they make require moderation.
| lite=no -
| discover-date=March 26, 2017
| patch-date=March 30, 2017
| patches=4.0.17 Patch Level 1
4.0.16 Patch Level 2
4.0.15 Patch Level 6
4.0.14 Patch Level 9
4.0.13 Patch Level 9
4.0.12 Patch Level 10
4.0.11 Patch Level 10
4.0.10 Patch Level 11
| workaround=Do not grant users permission to physically remove wiki content in the same area where both the user's edits and new wiki content are moderated.[/template]
[h=3]Notes[/h]
If edits require moderation, but new content is allowed without moderation and existing content can be deleted, then this issue becomes moot, since the escalation was explicitly permitted -- the user can delete the existing content and publish their edit as a new wiki page, without the previous page behavior, without being moderated anyway.