Description

The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user's view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints the content attribute of the doc variable.

Remediation

References

CVE-2007-4888

Related Vulnerabilities

WordPress Plugin Widget Logic Cross-Site Request Forgery (5.10.2)

Ruby Improper Restriction of Operations within the Bounds of a Memory Buffer Vulnerability (CVE-2017-14064)

Jenkins Improper Input Validation Vulnerability (CVE-2021-21639)

WebLogic CVE-2020-2547 Vulnerability (CVE-2020-2547)

WordPress Plugin Digital Publications by Supsystic Multiple Vulnerabilities (1.6.9)

Severity

Low

Classification

CVE-2007-4888

Tags

Missing Update Known Vulnerabilities