This is an old revision of this page, as edited March 26, 2017, 3:20 PM by pegasus(contribs). It may differ significantly from the current revision.
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2017-3686 Related Report None Severity LOW Exploit Difficulty NORMAL Platform Affects all platforms supported by the vulnerable versions. Description Permissions escalation. Users who can delete wiki content can remove page behaviors even though new wiki content and edits they make require moderation. Does not affect Lite versions.
Discovered March 26, 2017 Resolved NOT RESOLVED Patches Available None Workaround Do not grant users permission to physically remove wiki content in the same area where both the user's edits and new wiki content are moderated.
Notes
If edits require moderation, but new content is allowed without moderation and existing content can be deleted, then this issue becomes moot, since the escalation was explicitly permitted -- the user can delete the existing content and publish their edit as a new wiki page, without the previous page behavior, without being moderated anyway.