Description
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Remediation
References
Related Vulnerabilities
WordPress Plugin Imagements Arbitrary File Upload (1.2.5)
WordPress Plugin WP-AutoYoutube 'index.php' Script SQL Injection (0.1)
WordPress Plugin PAYPAL CURRENCY CONVERTER BASIC FOR WOOCOMMERCE Arbitrary File Disclosure (1.3)
Drupal Core 6.x Session Hijacking (6.0 - 6.33)
Oracle Database Server CVE-2015-0457 Vulnerability (CVE-2015-0457)