[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
- To: announce@xxxxxxxxxxxxxxxxx, users@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
- From: Martin Grigorov <mgrigorov@xxxxxxxxxx>
- Date: Thu, 22 Mar 2012 11:49:53 +0200
Severity: Important
Vendor:
The Apache Software Foundation
Versions Affected:
Apache Wicket 1.4.x
Apache Wicket 1.3.x and 1.5.x are not affected
Description:
A Cross Site Scripting (XSS) attack is possible by manipulating the
value of 'wicket:pageMapName'
request parameter.
Mitigation:
Upgrade to Apache Wicket 1.4.20 or 1.5.5.
Credit:
This issue was discovered by Jens Schenck.
Apache Wicket Team
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/