// For flags

CVE-2006-7223

 

Severity Score

8.8
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

PreviewAction de XWiki 0.9.543 hasta 0.9.1252 no asigna al campo Author la identidad del usuario que modificó por último un documento, lo cual permite a usuarios remotos autenticados sin derechos de programación ejecutar código de su elección seleccionando un documento cuyo autor tiene derechos de programación, modificando ese documento para que contenga un script, y previsualizándolo sin guardar el contenido.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Network
Attack Complexity
Low
Authentication
Single
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2007-09-13 CVE Reserved
  • 2007-09-14 CVE Published
  • 2024-09-16 CVE Updated
  • 2025-03-30 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
References (1)
URL Tag Source
http://jira.xwiki.org/jira/browse/XWIKI-366 X_refsource_confirm
URL Date SRC
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Xwiki
Search vendor "Xwiki"
 Xwiki
Search vendor "Xwiki" for product "Xwiki"
 0.9.543
Search vendor "Xwiki" for product "Xwiki" and version "0.9.543"
-
Affected
Xwiki
Search vendor "Xwiki"
 Xwiki
Search vendor "Xwiki" for product "Xwiki"
 0.9.790
Search vendor "Xwiki" for product "Xwiki" and version "0.9.790"
-
Affected
Xwiki
Search vendor "Xwiki"
 Xwiki
Search vendor "Xwiki" for product "Xwiki"
 0.9.793
Search vendor "Xwiki" for product "Xwiki" and version "0.9.793"
-
Affected
Xwiki
Search vendor "Xwiki"
 Xwiki
Search vendor "Xwiki" for product "Xwiki"
 0.9.840
Search vendor "Xwiki" for product "Xwiki" and version "0.9.840"
-
Affected
Xwiki
Search vendor "Xwiki"
 Xwiki
Search vendor "Xwiki" for product "Xwiki"
 0.9.1252
Search vendor "Xwiki" for product "Xwiki" and version "0.9.1252"
-
Affected