Описание
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Уязвимые конфигурации
Конфигурация 1
Одно из
cpe:2.3:a:xwiki:xwiki:0.9.543:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:0.9.790:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:0.9.793:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:0.9.840:*:*:*:*:*:*:*
cpe:2.3:a:xwiki:xwiki:0.9.1252:*:*:*:*:*:*:*
EPSS
Процентиль: 61%
0.00418
Низкий
6.5 Medium
CVSS2
Дефекты
CWE-264
Связанные уязвимости
EPSS
Процентиль: 61%
0.00418
Низкий
6.5 Medium
CVSS2
Дефекты
CWE-264