[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter

To: announce@xxxxxxxxxxxxxxxxx, users@xxxxxxxxxxxxxxxxx, dev@xxxxxxxxxxxxxxxxx
Subject: [Full-disclosure] [CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter
From: Carl-Eric Menzel <cmenzel@xxxxxxxxxxxxx>
Date: Thu, 6 Sep 2012 15:37:45 +0200

Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x and 1.5.x

Description:
https://wicket.apache.org/2012/09/06/cve-2012-3373.html
It is possible to inject JavaScript statements into an ajax link by
adding an encoded null byte to a URL pointing to a Wicket app. This
could be done by sending a legitimate user a manipulated URL and
tricking the user into clicking on it.

This vulnerability is fixed in
- Apache Wicket 1.4.21
  https://wicket.apache.org/2012/09/05/wicket-1.4.21-released.html
- Apache Wicket 1.5.8
  https://wicket.apache.org/2012/08/24/wicket-1.5.8-released.html

Apache Wicket 6.0.0 is not affected.

Credit:
This issue was reported by Thomas Heigl.

Apache Wicket Team

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Next by Date: [Full-disclosure] [SECURITY] [DSA 2541-1] beaker security update
Previous by thread: Re: [Full-disclosure] Adobe Flash UpdateInstalls Other Warez without Consent
Next by thread: [Full-disclosure] [SECURITY] [DSA 2541-1] beaker security update
Index(es):
- Date
- Thread