VWE-2019-5016 Printable Version
This page is a chapter in Info Known Vulnerabilities
This page has been seen 217,019 times.
-
-
Created by on
-
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2019-5016 Related Report #5619 Severity MEDIUM Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Permissions Escalation. By guessing the correct editor URL, users can post new wiki content without proper permissions. The issue affects new content only; edits to existing content are unaffected.
Discovered February 2, 2019 Resolved February 19, 2019 Patches Available 4.1.0 Alpha 2
4.0.25 Patch Level 1
4.0.24 Patch Level 3
4.0.23 Patch Level 5
4.0.22 Patch Level 7
4.0.21 Patch Level 8Workaround In your Wiki Permissions, for each usergroup that should not permitted to create all content, update all permissions like "Are new [X] NOT moderated?" to NO. This will catch all new content in the moderation queue, including content created without permission.
Notes
Because it was possible to download pre-release versions of the February patches which were intended for testing purposes, your version number may incorrectly suggest that you are already patched against this issue. You should re-download and re-apply the patch if you believe that you may have downloaded it prior to February 20, 2019.