VYPR
Moderate severityNVD Advisory· Published Sep 14, 2007· Updated Jun 16, 2026

CVE-2006-7223

CVE-2006-7223

Description

PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.xwiki.platform:xwiki-platform-oldcoreMaven
>= 0.9.543, < 1.0B11.0B1

Affected products

6
  • Cryptpad/Xwiki5 versions
    cpe:2.3:a:xwiki:xwiki:0.9.1252:*:*:*:*:*:*:*+ 4 more
    • cpe:2.3:a:xwiki:xwiki:0.9.1252:*:*:*:*:*:*:*
    • cpe:2.3:a:xwiki:xwiki:0.9.543:*:*:*:*:*:*:*
    • cpe:2.3:a:xwiki:xwiki:0.9.790:*:*:*:*:*:*:*
    • cpe:2.3:a:xwiki:xwiki:0.9.793:*:*:*:*:*:*:*
    • cpe:2.3:a:xwiki:xwiki:0.9.840:*:*:*:*:*:*:*
  • ghsa-coords
    Range: >= 0.9.543, < 1.0B1

Patches

Vulnerability mechanics

References

5

News mentions

0

No linked articles in our index yet.