GHSA-h5jm-jjgx-q2wf

Suggest an improvement
Source
https://github.com/advisories/GHSA-h5jm-jjgx-q2wf
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h5jm-jjgx-q2wf/GHSA-h5jm-jjgx-q2wf.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-h5jm-jjgx-q2wf
Aliases
  • CVE-2006-7223
Published
2022-05-01T07:45:42Z
Modified
2024-02-12T17:26:38.849761Z
Summary
XWiki Remote Code Execution
Details

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

Database specific 
{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [],
    "github_reviewed_at": "2024-02-12T17:00:03Z",
    "nvd_published_at": "2007-09-14T00:17:00Z"
}
References

Affected packages

Maven / org.xwiki.platform:xwiki-platform-oldcore

Package

Name
org.xwiki.platform:xwiki-platform-oldcore
View open source insights on deps.dev
Purl
pkg:maven/org.xwiki.platform/xwiki-platform-oldcore

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0.9.543
Fixed
1.0B1

Database specific 

{
    "last_known_affected_version_range": "<= 0.9.1252"
}