Description

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

Remediation

References

CVE-2006-7223

Related Vulnerabilities

WordPress Plugin Advanced Forms for ACF Pro Security Bypass (1.6.8)

WordPress Plugin Snazzy Maps Cross-Site Request Forgery (1.1.5)

WordPress Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') Vulnerability (CVE-2016-7169)

Plone CMS Weak Password Requirements Vulnerability (CVE-2020-7940)

Apache Tomcat Exposure of Sensitive Information to an Unauthorized Actor Vulnerability (CVE-2008-5519)

Severity

Medium

Classification

CVE-2006-7223 CWE-264

Tags

Missing Update Known Vulnerabilities