Description
PreviewAction in XWiki 0.9.543 through 0.9.1252 does not set the Author field to the identity of the user who last modified a document, which allows remote authenticated users without programming rights to execute arbitrary code by selecting a document whose author has programming rights, modifying this document to contain a script, and previewing without saving the document.
Remediation
References
Related Vulnerabilities
Oracle Database Server CVE-2008-1821 Vulnerability (CVE-2008-1821)
FluxBB Use of Password Hash With Insufficient Computational Effort Vulnerability (CVE-2020-28873)
Oracle HTTP Server Other Vulnerability (CVE-2006-5350)
WordPress Plugin WordPress Landing Pages Unspecified Vulnerability (2.2.6)
WordPress Plugin WP Code Highlight.js Cross-Site Scripting (0.6.3)