Back to list
[CVE-2012-3373] Apache Wicket XSS vulnerability via manipulated URL parameter
Sep 06 2012 01:37PM
Carl-Eric Menzel (cmenzel wicketbuch de)
The Apache Software Foundation
Apache Wicket 1.4.x and 1.5.x
adding an encoded null byte to a URL pointing to a Wicket app. This
could be done by sending a legitimate user a manipulated URL and
tricking the user into clicking on it.
This vulnerability is fixed in
- Apache Wicket 1.4.21
- Apache Wicket 1.5.8
Apache Wicket 6.0.0 is not affected.
This issue was reported by Thomas Heigl.
Apache Wicket Team
[ reply ]
Copyright 2010, SecurityFocus