CVE-2006-7223

Severity Score

6.5

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

PreviewAction de XWiki 0.9.543 hasta 0.9.1252 no asigna al campo Author la identidad del usuario que modificó por último un documento, lo cual permite a usuarios remotos autenticados sin derechos de programación ejecutar código de su elección seleccionando un documento cuyo autor tiene derechos de programación, modificando ese documento para que contenga un script, y previsualizándolo sin guardar el contenido.

*Credits: N/A

CVSS Scores

NISTv2 6.5

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-09-13 CVE Reserved
2007-09-14 CVE Published
2024-09-16 CVE Updated
2024-09-17 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-264: Permissions, Privileges, and Access Controls

CAPEC

References (1)

URL	Tag	Source
http://jira.xwiki.org/jira/browse/XWIKI-366	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				0.9.543 Search vendor "Xwiki" for product "Xwiki" and version "0.9.543"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				0.9.790 Search vendor "Xwiki" for product "Xwiki" and version "0.9.790"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				0.9.793 Search vendor "Xwiki" for product "Xwiki" and version "0.9.793"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				0.9.840 Search vendor "Xwiki" for product "Xwiki" and version "0.9.840"		-		Affected
Xwiki Search vendor "Xwiki"		Xwiki Search vendor "Xwiki" for product "Xwiki"				0.9.1252 Search vendor "Xwiki" for product "Xwiki" and version "0.9.1252"		-		Affected