BugTraq
[CVE-2011-2712] Apache Wicket XSS vulnerability Aug 23 2011 06:22PM
Martin Grigorov (mgrigorov apache org)
Severity: Important

Vendor:
The Apache Software Foundation

Versions Affected:
Apache Wicket 1.4.x

Apache Wicket 1.3.x and 1.5-RCx are not affected

Description:
With multi window support application configuration and special query
parameters it
is possible to execute any kind of JavaScript on a site running with the
affected versions.

Mitigation:
Either disable multi window support with
org.apache.wicket.settings.IPageSettings.setAutomaticMultiWindowSupport(
false)
or upgrade to Apache Wicket 1.4.18 or 1.5-RC5.1.

Credit:
This issue was discovered by Sven Krewitt of T�V Rheinland i-sec GmbH.

Apache Wicket Team

[ reply ]


 

Privacy Statement
Copyright 2010, SecurityFocus