VWE-2021-6098 Viewing Source [template]Vulnerability | aka= | severity=Medium | difficulty=Normal | description=Permissions Escalation. A user can associate platform-based attachments to wiki comments, even though those attachments were uploaded by another user account with different attachment permissions and/or quotas, or by the same user account under a different context with different attachment permissions and/or quotas. | platform= | lite= | issueid= | discover-date=May 7, 2021 | patch-date=June 6, 2021 | patches=4.1.1 Patch Level 5 4.1.0 Patch Level 7 4.1.0 RC 3 Patch Level 9 | workaround= [/template] [h=3]Notes[/h] Please be aware that variations of the same issue also affect basic content-types on stock installations of both vBulletin and XenForo. XenForo developers have been [URL="https://xenforo.com/community/threads/attachment_hash-can-allow-circumvention-of-permissions-quotas.194181/"]notified of the issue[/URL], but the issue has not yet been addressed as of June 6, 2021. Since vBulletin 4.x and lower is already end-of-life, this would never be patched by vBulletin's developers. In the absence of a patch, the only way to prevent this issue from being exploited would be to disable all platform-based attachments (posts, conversations, etc) that are not patched. Also, depending on the method, a future XenForo patch could break the fix that we have applied to wiki comments. 1,393 characters