Moderate severityNVD Advisory· Published Sep 14, 2007· Updated Jun 16, 2026
CVE-2006-7223
CVE-2006-7223
Description
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.xwiki.platform:xwiki-platform-oldcoreMaven | >= 0.9.543, < 1.0B1 | 1.0B1 |
Affected products
6Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-h5jm-jjgx-q2wfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2006-7223ghsaADVISORY
- github.com/xwiki/xwiki-platform/commit/c44172a3556d12b62c0d793ab18475e5e13d7120ghsaWEB
- web.archive.org/web/20080616064908/http://jira.xwiki.org/jira/browse/XWIKI-366ghsaWEB
- jira.xwiki.org/jira/browse/XWIKI-366nvd
News mentions
0No linked articles in our index yet.