PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
| Package (Ecosystem) | Introduced | Fixed | Limit |
|---|---|---|---|
| org.xwiki.platform:xwiki-platform-oldcore(Maven) | 0.9.543 | 1.0B1 | N/A |
CVSS Metrics
