The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2021-6098 Related Report None Severity MEDIUM Exploit Difficulty NORMAL Platform Affects all platforms supported by the vulnerable versions. Description Permissions Escalation. A user can associate platform-based attachments to wiki comments, even though those attachments were uploaded by another user account with different attachment permissions and/or quotas, or by the same user account under a different context with different attachment permissions and/or quotas.
Discovered May 7, 2021 Resolved June 6, 2021 Patches Available 4.1.1 Patch Level 5
4.1.0 Patch Level 7
4.1.0 RC 3 Patch Level 9
NotesPlease be aware that variations of the same issue also affect basic content-types on stock installations of both vBulletin and XenForo. XenForo developers have been notified of the issue, but the issue has not yet been addressed as of June 6, 2021. Since vBulletin 4.x and lower is already end-of-life, this would never be patched by vBulletin's developers. In the absence of a patch, the only way to prevent this issue from being exploited would be to disable all platform-based attachments (posts, conversations, etc) that are not patched. Also, depending on the method, a future XenForo patch could break the fix that we have applied to wiki comments.
This page has been seen 294 times.