VWE-2020-5943 Printable Version

https://www.vaultwiki.org/pages/Book/Documentation/VWE-2020-5943
This page is a chapter in Info Known Vulnerabilities

This page has been seen 86,494 times.

- Created by
  pegasus
  on October 16, 2021

Common Name None
VWE-ID VWE-2020-5943
Related Report None
Severity MEDIUM
Exploit Difficulty EASY
Platform Affects all platforms supported by the vulnerable versions.
Description Denial of Service. A sanitization issue in AJAX-submitted input allows invalid UTF-8 characters to pass verification, and could result in the prevention of moderator access to XenForo 2.x's approval queue if it contains affected content. The underlying sanitization issue has existed since 4.0.0 Gamma 6 and exists in all platforms; however, the code was never used on XenForo-based platforms in the VaultWiki 4.0.x series. The issue has been exploited in the wild as early as June 2017 on vBulletin-based platforms. The malicious effect can only be realized in the following situations:

vBulletin installations, running VaultWiki 4.0.0 Gamma 6 or higher when exploited, if that installation converts to XenForo 1.x running VaultWiki, and later converts to XenForo 2.x running VaultWiki.
XenForo installations, running VaultWiki 4.1.x or higher when exploited, if that installation now runs XenForo 2.x
Discovered October 7, 2020
Resolved November 8, 2020
Patches Available 4.1.0 Patch Level 2
4.1.0 RC 3 Patch Level 4
4.1.0 RC 2 Patch Level 5
4.1.0 RC 1 Patch Level 6
4.0.28 Patch Level 6
The versions listed below are known to be affected by this issue. If you are using one of those versions, you should update to a newer release that has no known vulnerabilities.

Common Name	None
VWE-ID	VWE-2020-5943
Related Report	None
Severity	MEDIUM
Exploit Difficulty	EASY
Platform	Affects all platforms supported by the vulnerable versions.
Description	Denial of Service. A sanitization issue in AJAX-submitted input allows invalid UTF-8 characters to pass verification, and could result in the prevention of moderator access to XenForo 2.x's approval queue if it contains affected content. The underlying sanitization issue has existed since 4.0.0 Gamma 6 and exists in all platforms; however, the code was never used on XenForo-based platforms in the VaultWiki 4.0.x series. The issue has been exploited in the wild as early as June 2017 on vBulletin-based platforms. The malicious effect can only be realized in the following situations: vBulletin installations, running VaultWiki 4.0.0 Gamma 6 or higher when exploited, if that installation converts to XenForo 1.x running VaultWiki, and later converts to XenForo 2.x running VaultWiki. XenForo installations, running VaultWiki 4.1.x or higher when exploited, if that installation now runs XenForo 2.x
Discovered	October 7, 2020
Resolved	November 8, 2020
Patches Available	4.1.0 Patch Level 2 4.1.0 RC 3 Patch Level 4 4.1.0 RC 2 Patch Level 5 4.1.0 RC 1 Patch Level 6 4.0.28 Patch Level 6