CVE-2006-7223

描述

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

如何修補 CVE-2006-7223

要修補 CVE-2006-7223,請將受影響套件升級到下列已修補版本。

• Maven/org.xwiki.platform:xwiki-platform-oldcore—升級至 1.0B1 或更新版本

CVE-2006-7223 正在被利用嗎?

低 — EPSS 為 1.5%,目前沒有觀察到大規模利用活動。

受影響套件(1)

• >= 0.9.543, < 1.0B1

參考連結(4)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-7223
• PATCHgithub.com/xwiki/xwiki-platform
• WEBgithub.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120
• WEBweb.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366