Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Wed, 2 Mar 2016 16:03:54 +0100
From: Martin Grigorov <mgrigorov@...che.org>
To: announce@...ket.apache.org, 
	"users@...ket.apache.org" <users@...ket.apache.org>, "dev@...ket.apache.org" <dev@...ket.apache.org>, 
	"security@...che.org" <security@...che.org>, oss-security@...ts.openwall.com, 
	bugtraq@...urityfocus.com
Subject: [CVE-2015-7520] Apache Wicket XSS vulnerability

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected: Apache Wicket 1.5.x, 6.x and 7.x

Description:

It is possible for JavaScript statements to break out of a RadioGroup’s and
CheckBoxMultipleChoice’s “value” attribute of <input> elements

This might pose a security threat if the written JavaScript contains user
provided data.

The application developers are recommended to upgrade to:

- Apache Wicket 1.5.15
- Apache Wicket 6.22.0
- Apache Wicket 7.2.0

Credit: This issue was reported by Canh Ngo!

Apache Wicket Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ