Lucene search

[email protected]CVE-2007-4888

HistorySep 14, 2007 - 12:17 a.m.

CVE-2007-4888

2007-09-1400:17:00

[email protected]

web.nvd.nist.gov

xwiki

security

cve-2007-4888

authentication

remote

vulnerability

nvd

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

6.2 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

50.2%

JSON

The “You are not allowed…” error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user’s view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints the content attribute of the doc variable.

Affected configurations

NVD

Node

xwikixwikiMatch1.0_b1

xwikixwikiMatch1.0_b2

CPENameOperatorVersion
xwiki:xwikixwikieq1.0_b1
xwiki:xwikixwikieq1.0_b2

CPE	Name	Operator	Version
xwiki:xwiki	xwiki	eq	1.0_b1
xwiki:xwiki	xwiki	eq	1.0_b2

References

jira.xwiki.org/jira/browse/XWIKI-726

osvdb.org/40499

3.5 Low

CVSS2

Attack Vector

NETWORK

Attack Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

6.2 Medium

AI Score

Confidence

Low

0.001 Low

EPSS

Percentile

50.2%

JSON

Related for CVE-2007-4888

prion1 nvd1 cvelist1