Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1oNWptLWpqZ3gtcTJ3Zs2VbA
XWiki Remote Code Execution
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Permalink: https://github.com/advisories/GHSA-h5jm-jjgx-q2wfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oNWptLWpqZ3gtcTJ3Zs2VbA
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 3 months ago
Identifiers: GHSA-h5jm-jjgx-q2wf, CVE-2006-7223
References:
- https://nvd.nist.gov/vuln/detail/CVE-2006-7223
- https://github.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120
- https://web.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366
- https://github.com/advisories/GHSA-h5jm-jjgx-q2wf
Blast Radius: 1.0
Affected Packages
maven:org.xwiki.platform:xwiki-platform-oldcore
Affected Version Ranges: >= 0.9.543, <= 0.9.1252Fixed in: 1.0B1