CVE-2006-7223: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

May 1, 2022 (updated February 12, 2024)

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

References

github.com/advisories/GHSA-h5jm-jjgx-q2wf
github.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120
nvd.nist.gov/vuln/detail/CVE-2006-7223
web.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366

Code Behaviors & Features

Detect and mitigate CVE-2006-7223 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →