Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2007-4888

Overview

Vulnerability Score 3.5 3.5
CVE Id CVE-2007-4888
Last Modified 15 Nov 2008 01:58:56
Published 13 Sep 2007 08:17:00
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity MEDIUM
Authentication SINGLE_INSTANCE

CVE-2007-4888

Summary

The "You are not allowed..." error handler in XWiki 1.0 B1 and 1.0 B2 associates the doc variable with the entire document content and metadata regardless of a user's view rights, which allows remote authenticated users to read arbitrary documents via a custom skin that prints the content attribute of the doc variable.

Vulnerable Systems

Application

  • Xwiki 1.0 B1

  • Xwiki 1.0 B2


References

OSVDB - 40499

CONFIRM - http://jira.xwiki.org/jira/browse/XWIKI-726


Last Updated: 27 May 2016 10:45:58