CVE-2006-7223
EPSS 0.46%XWiki Remote Code Execution
Published: 5/1/2022Modified: 2/12/2024
Description
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Affected packages (1)
- Maven/org.xwiki.platform:xwiki-platform-oldcore>= 0.9.543, < 1.0B1