CVE-2006-7223 — XWiki Remote Code Execution

Description

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

How to fix CVE-2006-7223

To remediate CVE-2006-7223, upgrade the affected package to a fixed version below.

Maven/org.xwiki.platform:xwiki-platform-oldcore—upgrade to 1.0B1 or later

Is CVE-2006-7223 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 0.9.543, < 1.0B1

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2006-7223
PATCHgithub.com/xwiki/xwiki-platform
WEBgithub.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120
WEBweb.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366