Description
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Remediation
References
Related Vulnerabilities
WordPress Plugin WP Private Messages SQL Injection (1.0.1)
WordPress Plugin Chat-Support Board-WordPress Chat Multiple SQL Injection Vulnerabilities (3.3.3)
WordPress Plugin Juiz Social Post Sharer Multiple Cross-Site Scripting Vulnerabilities (1.3.3.7)
SharePoint CVE-2021-34519 Vulnerability (CVE-2021-34519)
Collabtive Cross-Site Request Forgery (CSRF) Vulnerability (CVE-2010-5285)