[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter

To: announce@xxxxxxxxxxxxxxxxx, users@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [CVE-2012-0047] Apache Wicket XSS vulnerability via pageMapName request parameter
From: Martin Grigorov <mgrigorov@xxxxxxxxxx>
Date: Thu, 22 Mar 2012 11:49:53 +0200

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5.x are not affected

Description:
A Cross Site Scripting (XSS) attack is possible by manipulating the
value of 'wicket:pageMapName'
request parameter.

Mitigation:
Upgrade to Apache Wicket 1.4.20 or 1.5.5.

Credit:
This issue was discovered by Jens Schenck.

Apache Wicket Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: [Full-disclosure] Minify and related plugins DOM-Based XSS Vulnerability
Next by Date: [Full-disclosure] [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Previous by thread: [Full-disclosure] Minify and related plugins DOM-Based XSS Vulnerability
Next by thread: [Full-disclosure] [CVE-2012-1089] Apache Wicket serving of hidden files vulnerability
Index(es):
- Date
- Thread