CVE-2006-7223

GHSA-h5jm-jjgx-q2wf, CVE-2006-7223

maven/org.xwiki.platform/xwiki-platform-oldcore

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

All versions starting from 0.9.543 up to 0.9.1252

Upgrade to version 1.0B1 or above.

2024-02-13