[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Mar 2016 16:03:54 +0100
From: Martin Grigorov <mgrigorov@...che.org>
To: announce@...ket.apache.org,
"users@...ket.apache.org" <users@...ket.apache.org>, "dev@...ket.apache.org" <dev@...ket.apache.org>,
"security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com,
bugtraq@...urityfocus.com
Subject: [CVE-2015-7520] Apache Wicket XSS vulnerability
Severity: Important
Vendor: The Apache Software Foundation
Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x
Description:
It is possible for JavaScript statements to break out of a RadioGroup’s and
CheckBoxMultipleChoice’s “value” attribute of <input> elements
This might pose a security threat if the written JavaScript contains user
provided data.
The application developers are recommended to upgrade to:
- Apache Wicket 1.5.15
- Apache Wicket 6.22.0
- Apache Wicket 7.2.0
Credit: This issue was reported by Canh Ngo!
Apache Wicket Team
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
