VWE-2017-3686 Printable Version

Common Name	None
VWE-ID	VWE-2017-3686
Related Report	None
Severity	LOW
Exploit Difficulty	NORMAL
Platform	Affects all platforms supported by the vulnerable versions.
Description	Permissions escalation. Users who can delete wiki content can remove page behaviors even though new wiki content and edits they make require moderation. Does not affect Lite versions.
Discovered	March 26, 2017
Resolved	March 30, 2017
Patches Available	4.0.17 Patch Level 1 4.0.16 Patch Level 2 4.0.15 Patch Level 6 4.0.14 Patch Level 9 4.0.13 Patch Level 9 4.0.12 Patch Level 10 4.0.11 Patch Level 10 4.0.10 Patch Level 11
Workaround	Do not grant users permission to physically remove wiki content in the same area where both the user's edits and new wiki content are moderated.

The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.

Notes

If edits require moderation, but new content is allowed without moderation and existing content can be deleted, then this issue becomes moot, since the escalation was explicitly permitted -- the user can delete the existing content and publish their edit as a new wiki page, without the previous page behavior, without being moderated anyway.