VWE-2021-6261 Viewing Source [template]Vulnerability | aka= | severity=High | difficulty=Easy | description=Permissions Escalation and Data Loss. The installer fails to create a new moderator group, forcing administrators to choose an existing usergroup. Choosing an existing group risks permissions escalation and possible locked accounts, because users are added and dropped from the moderator group depending on the user's browsing context. For forums with large numbers of users, this can lead to data loss, because recovering the user's original usergroup assignments would require restoring the database from a backup. | platform= | lite= | issueid=6260 | discover-date=October 19, 2021 | patch-date=October 25, 2021 | patches=4.1.2 Patch Level 3 4.1.1 Patch Level 8 | workaround= [/template] [h=3]Notes[/h] Administrators who believe they are in this situation should backup their database and reach out for special instructions on changing their moderator group safely. The patch only restores the ability to create a new usergroup during installation. The issue affects fresh installations on vBulletin platforms and XenForo 1.x only. 1,132 characters