CVE-2006-7223
First published: Fri Sep 14 2007(Updated: )
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Xwiki Xwiki | =0.9.1252 | |
| Xwiki Xwiki | =0.9.790 | |
| Xwiki Xwiki | =0.9.543 | |
| Xwiki Xwiki | =0.9.840 | |
| Xwiki Xwiki | =0.9.793 | |
| maven/org.xwiki.platform:xwiki-platform-oldcore | >=0.9.543<=0.9.1252 | 1.0B1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://jira.xwiki.org/jira/browse/XWIKI-366
- https://nvd.nist.gov/vuln/detail/CVE-2006-7223
- https://github.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120
- https://web.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366
- https://github.com/advisories/GHSA-h5jm-jjgx-q2wf (Advisory)
- collector/nvd-historical
- vendor/xwiki
- product/xwiki
- canonical/xwiki xwiki
- collector/nvd-index
- agent/type
- agent/first-publish-date
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-h5jm-jjgx-q2wf
- alias/CVE-2006-7223
- agent/software-canonical-lookup
- collector/nvd-cve
- source/NVD
- agent/references
- agent/author
- agent/last-modified-date
- agent/weakness
- agent/severity
- agent/description
- agent/tags
- agent/softwarecombine
- agent/event
- collector/github-advisory
- version/xwiki xwiki/0.9.1252
- version/xwiki xwiki/0.9.790
- version/xwiki xwiki/0.9.543
- version/xwiki xwiki/0.9.840
- version/xwiki xwiki/0.9.793
- package-manager/maven