VWE-2021-6261 Printable Version
This page is a chapter in Info Known Vulnerabilities
This page has been seen 100,680 times.
-
-
Created by on
-
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2021-6261 Related Report #6260 Severity HIGH Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Permissions Escalation and Data Loss. The installer fails to create a new moderator group, forcing administrators to choose an existing usergroup. Choosing an existing group risks permissions escalation and possible locked accounts, because users are added and dropped from the moderator group depending on the user's browsing context. For forums with large numbers of users, this can lead to data loss, because recovering the user's original usergroup assignments would require restoring the database from a backup.
Discovered October 19, 2021 Resolved October 25, 2021 Patches Available 4.1.2 Patch Level 3
4.1.1 Patch Level 8
Notes
Administrators who believe they are in this situation should backup their database and reach out for special instructions on changing their moderator group safely. The patch only restores the ability to create a new usergroup during installation.
The issue affects fresh installations on vBulletin platforms and XenForo 1.x only.