Описание
XWiki Remote Code Execution
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Пакеты
org.xwiki.platform:xwiki-platform-oldcore
>= 0.9.543, <= 0.9.1252
1.0B1
EPSS
CVE ID
Связанные уязвимости
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
EPSS