[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter

To: announce@xxxxxxxxxxxxxxxxx, users@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx
Subject: [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
From: Martin Grigorov <mgrigorov@xxxxxxxxxx>
Date: Thu, 22 Mar 2012 11:49:53 +0200

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5.x are not affected

Description:
A Cross Site Scripting (XSS) attack is possible by manipulating the
value of 'wicket:pageMapName'
request parameter.

Mitigation:
Upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Jens Schenck.

Apache Wicket Team

Prev by Date: struts2 xsltResult Local code execution vulnerability
Next by Date: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Previous by thread: struts2 xsltResult Local code execution vulnerability
Next by thread: [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Index(es):
- Date
- Thread