The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.
Common Name None VWE-ID VWE-2021-6261 Related Report #6260 Severity HIGH Exploit Difficulty EASY Platform Affects all platforms supported by the vulnerable versions. Description Permissions Escalation and Data Loss. The installer fails to create a new moderator group, forcing administrators to choose an existing usergroup. Choosing an existing group risks permissions escalation and possible locked accounts, because users are added and dropped from the moderator group depending on the user's browsing context. For forums with large numbers of users, this can lead to data loss, because recovering the user's original usergroup assignments would require restoring the database from a backup.
Discovered October 19, 2021 Resolved October 25, 2021 Patches Available 4.1.2 Patch Level 3
4.1.1 Patch Level 8
NotesAdministrators who believe they are in this situation should backup their database and reach out for special instructions on changing their moderator group safely. The patch only restores the ability to create a new usergroup during installation.
The issue affects fresh installations on vBulletin platforms and XenForo 1.x only.
This page has been seen 66,401 times.