CVE-2006-7223

XWiki 0.9.543-0.9.1252 - Authenticated Remote Code Execution via PreviewAction

Title source: llm
STIX 2.1

Description

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

References (1)

Core 1
Core References
Various Sources x_refsource_confirm
http://jira.xwiki.org/jira/browse/XWIKI-366

Scores

EPSS 0.0046
EPSS Percentile 64.1%

Details

CWE
CWE-264
Status published
Products (6)
org.xwiki.platform/xwiki-platform-oldcore 0.9.543 - 1.0B1Maven
xwiki/xwiki 0.9.543
xwiki/xwiki 0.9.790
xwiki/xwiki 0.9.793
xwiki/xwiki 0.9.840
xwiki/xwiki 0.9.1252
Published Sep 14, 2007
Tracked Since Feb 18, 2026