PreviewAction in XWiki 0.9.543 up to and including 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Vulnerable Product | Search on Vulmon | Subscribe to Product |
---|---|---|
xwiki xwiki 0.9.543 |
||
xwiki xwiki 0.9.790 |
||
xwiki xwiki 0.9.793 |
||
xwiki xwiki 0.9.840 |
||
xwiki xwiki 0.9.1252 |